b'Audit Report\n\n\n\n\nOIG-13-007\nINFORMATION TECHNOLOGY: The Department of the Treasury\nFederal Information Security Management Act Fiscal Year 2012\nPerformance Audit\nNovember 9, 2012\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c    THIS PAGE INTENTIONALLY LEFT BLANK\n\xc2\xa0\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                           W ASHINGTON, D.C. 20220\n\n\n                                            November 9, 2012\n     OFFICE OF\nINSPECTOR GENERAL\n\n           MEMORANDUM FOR NANI COLORETTI\n                          ACTING ASSISTANT SECRETARY FOR MANAGEMENT\n\n                                  ROBYN EAST\n                                  DEPUTY ASSISTANT SECRETARY FOR INFORMATION\n                                    SYSTEMS AND CHIEF INFORMATION OFFICER\n\n           FROM:                  Marla A. Freedman /s/\n                                  Assistant Inspector General for Audit\n\n           SUBJECT:               Audit Report \xe2\x80\x93 Fiscal Year 2012 Audit of Treasury\xe2\x80\x99s Federal\n                                  Information Security Management Act Implementation for Its\n                                  Unclassified Systems\n\n           We are pleased to transmit the following reports:\n\n                \xef\x82\xb7   The Department of the Treasury Federal Information Security Management\n                    Act Fiscal Year 2012 Performance Audit, November 7, 2012 (Attachment 1)\n                \xef\x82\xb7   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal Information\n                    Security Management Act Report for Fiscal Year 2012 (Audit No.\n                    2012-20-114), September 28, 2012 (Attachment 2)\n\n           The Department of the Treasury Federal Information Security Management Act\n           (FISMA) Fiscal Year 2012 report presents the audit results of Treasury\xe2\x80\x99s\n           compliance with FISMA for its unclassified systems. FISMA requires federal\n           agencies, including Treasury, to (1) have an annual independent evaluation\n           performed of their information security programs and practices and (2) report the\n           results of the evaluation to the Office of Management and Budget (OMB). OMB has\n           delegated to the Department of Homeland Security (DHS) the collection of annual\n           FISMA responses. FISMA also requires that the independent evaluation be\n           performed by the agency Inspector General (IG) or an independent external auditor\n           as determined by the IG. To meet our FISMA requirements, we contracted with\n           KPMG LLP, an independent certified public accounting firm, to perform the FISMA\n           audit of Treasury\xe2\x80\x99s unclassified systems, except for those of the Internal Revenue\n           Service (IRS), which was performed by the Treasury Inspector General for Tax\n           Administration (TIGTA). As indicated above, TIGTA\xe2\x80\x99s audit results are presented in\n           Attachment 2. Appendix IV of Attachment 1 includes our response to DHS\xe2\x80\x99s\n           FISMA 2012 Questions for Inspectors General and incorporates the responses from\n\x0cPage 2\n\n\nthe TIGTA report as well. KPMG conducted its audit in accordance with generally\naccepted government auditing standards.\n\nBased on the results reported by KPMG, TIGTA, and the financial statement audit\nreport of the IRS conducted by the Government Accountability Office (GAO),1 we\ndetermined that Treasury\xe2\x80\x99s information security program for unclassified systems is\nin place and is generally consistent with FISMA, but could be more effective.\n\nThe KPMG audit of Treasury\xe2\x80\x99s unclassified systems (except for those of the IRS)\nidentified a number of areas that could be improved. Specifically, KPMG reported\nthat:\n\n    1.  Logical account management activities were not in place or not consistently\n        performed by the Bureau of Public Debt (BPD), the Alcohol and Tobacco\n        Tax and Trade Bureau, Departmental Offices (DO), Office of the Comptroller\n        of the Currency (OCC), and Financial Crimes Enforcement Network\n        (FinCEN).\n    2. Security incidents were not reported in a timely manner at the Bureau of\n        Engraving and Printing, BPD, and FinCEN.\n    3. System security plans at OCC and Financial Management Service (FMS) did\n        not fully document all security controls from National Institute of Standards\n        and Technology (NIST) Special Publication 800-53, Revision 3, and one\n        System Security Plan for FinCEN was not updated to address weaknesses\n        identified in the security assessments.\n    4. Audit logs were not sufficiently reviewed by FMS and DO in accordance\n        with NIST and Treasury requirements.\n    5. Plans of Action and Milestones were not tracked in accordance with NIST\n        and Treasury requirements at DO.\n    6. Vulnerability scanning and remediation was not performed in accordance\n        with Treasury requirements at FMS, United States Mint, DO, BPD, and\n        OCC.\n    7. Contingency planning and testing controls were not fully implemented or\n        operating as designed at DO and FMS.\n    8. Backup controls were not in place or were not operating as designed at BPD\n        and Community Development Financial Institution Fund.\n    9. System configuration settings were not implemented properly at DO and\n        OCC.\n    10. System baselines were not documented properly at BPD, FMS, and FinCEN.\n    11. Multifactor authentication was not implemented at FMS.\n\n\n\n\n1\n FINANCIAL AUDIT: IRS\xe2\x80\x99s Fiscal Years 2012 and 2011 Financial Statements (GAO-13-120, dated\nNovember 2012)\n\x0cPage 3\n\n\nKPMG is making 31 recommendations to the responsible officials to address the\nfindings noted above.\n\nTIGTA reported that the IRS\xe2\x80\x99s information security program generally complies with\nFISMA, but improvements are needed as a result of the conditions identified in\nconfiguration management, identity and access management, and security training.\n\nIn addition, GAO reported IRS\xe2\x80\x99s information security over financial reporting\nsystems as a significant deficiency, which was previously reported as a long-\nstanding material weakness.\n\nIn connection with the contract with KPMG, we reviewed their report and related\ndocumentation and inquired of its representatives. Our review was differentiated\nfrom an audit performed in accordance with generally accepted auditing standards.\n\nIf you have any questions or require further information, you may contact me at\n(202) 927-5400 or Joel A. Grover, Deputy Assistant Inspector General for Financial\nManagement and Information Technology Audit, at (202) 927-5768.\n\nAttachments\n\ncc: Edward A. Roback\n    Associate Chief Information Officer\n    Cyber Security\n\x0c    THIS PAGE INTENTIONALLY LEFT BLANK\n\xc2\xa0\n\x0c            ATTACHMENT 1\n\n       The Department of the Treasury\nFederal Information Security Management Act\n    Fiscal Year 2012 Performance Audit,\n              November 7, 2012\n\x0c    THIS PAGE INTENTIONALLY LEFT BLANK\n\xc2\xa0\n\x0cThe Department of the Treasury\nFederal Information Security Management Act\nFiscal Year 2012 Performance Audit\n\n\n\n\nNovember 7, 2012\n\n\n\n\nKPMG LLP\n1676 International Drive, Suite 1200\nMcLean, VA 22102\n\x0c                              The Department of the Treasury\n      Federal Information Security Management Act Fiscal Year 2012 Performance Audit\n\n                                                               Table of Contents\n\nFISMA Performance Audit Report\nBACKGROUND .......................................................................................................................................... 4\n  Federal Information Security Management Act (FISMA) ........................................................................ 4\n  Federal Standards and Guidelines ............................................................................................................. 4\n  Department of the Treasury Bureaus/Offices (Bureaus) ........................................................................... 5\n  Department of the Treasury Information Security Management Program................................................ 6\nOVERALL AUDIT RESULTS .................................................................................................................... 9\nFINDINGS .................................................................................................................................................. 12\n  1. Logical account management activities were not in place or were not consistently\n      performed by the bureaus at BPD, TTB, DO, OCC, and FinCEN .................................................. 12\n  2. Security incidents were not reported in a timely manner at BEP, BPD, and FinCEN .................... 13\n  3. System security plans at OCC and FMS did not fully document all security controls from\n      NIST SP 800-53, Rev. 3, and one SSP for FinCEN was not updated to address weaknesses\n      identified in the security assessments.............................................................................................. 15\n  4. Audit logs were not sufficiently reviewed by FMS and DO in accordance with NIST and\n      Department of the Treasury requirements ....................................................................................... 15\n  5. POA&Ms were not tracked in accordance with NIST and Department of the Treasury\n      requirements at DO ......................................................................................................................... 16\n  6. Vulnerability scanning and remediation was not performed in accordance with Department\n      of the Treasury requirements at FMS, Mint, DO, BPD, and OCC.................................................. 17\n  7. Contingency planning and testing controls were not fully implemented or operating as\n      designed at DO and FMS ................................................................................................................ 18\n  8. Backup controls were not in place or were not operating as designed at BPD and CDFI\n      Fund................................................................................................................................................. 19\n  9. System configuration settings were not implemented properly at DO and OCC............................ 20\n  10. System baselines were not documented properly at BPD, FMS, and FinCEN ............................... 20\n  11. Multifactor authentication was not implemented at FMS ............................................................... 21\nMANAGEMENT RESPONSE TO THE REPORT ................................................................................... 22\n\nAppendices\nAPPENDIX I \xe2\x80\x93 OBJECTIVE, SCOPE, AND METHODOLOGY ............................................................ 34\nAPPENDIX II \xe2\x80\x93 STATUS OF PRIOR-YEAR FINDINGS ....................................................................... 38\nAPPENDIX III \xe2\x80\x93 THE DEPARTMENT OF THE TREASURY\xe2\x80\x99S CONSOLIDATED RESPONSE TO\nDHS\xe2\x80\x99s FISMA 2012 QUESTIONS FOR INSPECTORS GENERAL ....................................................... 53\nAPPENDIX IV \xe2\x80\x93 APPROACH TO SELECTION OF SUBSET OF SYSTEMS ...................................... 64\nAPPENDIX V \xe2\x80\x93 SELECTED SECURITY CONTROL CLASSES AND FAMILIES.............................. 66\nAPPENDIX VI \xe2\x80\x93 SUMMARY OF OTHER IT FINDINGS FROM TREASURY FINANCIAL\nSTATEMENT AUDITS ............................................................................................................................. 70\nAPPENDIX VII \xe2\x80\x93 GLOSSARY OF TERMS ............................................................................................. 75\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\n\n\n\n\nHonorable Eric Thorson\nInspector General, Department of the Treasury\n1500 Pennsylvania Avenue NW\nRoom 4436\nWashington, DC 20220\n\n\nRe: The United States Department of the Treasury Federal Information Security\n    Management Act Fiscal Year 2012 Performance Audit\n\nDear Mr. Thorson:\n\nThis report presents the results of our independent evaluation of the United States Department of\nthe Treasury\xe2\x80\x99s information security program and practices. The Federal Information Security\nManagement Act of 2002 (FISMA) requires federal agencies, including the Department of the\nTreasury, to have an annual independent evaluation performed of their information security\nprograms and practices and to report the results of the evaluations to the Office of Management\nand Budget (OMB). OMB has delegated its responsibility to Department of Homeland Security\n(DHS) for the collection of annual FISMA responses. DHS has prepared the FISMA 2012\nquestionnaire to collect these responses. Appendix III, The Department of the Treasury\xe2\x80\x99s\nConsolidated Response to DHS\xe2\x80\x99s FISMA 2012 Questions for Inspectors General, provides the\nTreasury\xe2\x80\x99s response to the questionnaire. FISMA requires that the independent evaluation be\nperformed by the agency Inspector General (IG) or an independent external auditor as\ndetermined by the IG. The Department of the Treasury Office of Inspector General (OIG)\ncontracted with KPMG LLP (KPMG) to conduct this independent evaluation (referred to herein\nas a \xe2\x80\x9cperformance audit\xe2\x80\x9d).\n\nWe conducted our performance audit in accordance with Generally Accepted Government\nAuditing Standards (GAGAS) issued by the Comptroller General of the United States. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective.\n\nThe objective for this performance audit was to determine the effectiveness of the Department of\nthe Treasury\xe2\x80\x99s information security program and practices for the period July 1, 2011 to June 30,\n2012 for its unclassified systems, including the Department of the Treasury\xe2\x80\x99s compliance with\nFISMA and related information security policies, procedures, standards, and guidelines. We\nbased our work, in part, on a sample of bureau-wide security controls and system-specific\nsecurity controls across 15-selected Department of the Treasury information systems. The scope\nof our work did not include the Internal Revenue Service (IRS), as the component was audited\nby the Department of the Treasury Inspector General for Tax Administration (TIGTA). The\nTIGTA report will be appended to this report and the findings of that report will be incorporated\n\n\n\n\n                               KPMG LLP is a Delaware limited liability partnership,\n                               the U.S. member firm of KPMG International Cooperative\n                               (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cwithin Appendix III, The Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA\n2012 Questions for Inspectors General. Additional details regarding the scope of our\nperformance audit are included in the Objective, Scope & Methodology section of this report.\n\nBased on our audit work, we concluded that the United States Department of the Treasury\xe2\x80\x99s\ninformation security program and practices for its non-IRS bureaus\xe2\x80\x99 unclassified systems were\ngenerally consistent with the FISMA legislation, OMB information security requirements, and\nrelated information security standards published by the National Institute of Standards and\nTechnology (NIST). While the information security program was generally consistent with the\nFISMA legislation, the program was not fully effective as reflected in the findings identified in\nthe following areas:\n\n    1. Logical account management activities were not in place or not consistently performed\n        by the Bureau of Public Debt (BPD), the Alcohol and Tobacco Tax and Trade Bureau\n        (TTB), Departmental Offices (DO), Office of the Comptroller of the Currency (OCC),\n        and Financial Crimes Enforcement Network (FinCEN).\n    2. Security incidents were not reported in a timely manner at the Bureau of Engraving and\n        Printing (BEP), BPD, and FinCEN.\n    3. System security plans at OCC and Financial Management Service (FMS) did not fully\n        document all security controls from NIST Special Publication (SP) 800-53, Revision\n        (Rev.) 3, and one System Security Plan (SSP) for FinCEN was not updated to address\n        weaknesses identified in the security assessments.\n    4. Audit logs were not sufficiently reviewed by FMS and DO in accordance with NIST and\n        Department of the Treasury requirements.\n    5. Plans of Action and Milestones (POA&Ms) were not tracked in accordance with NIST\n        and Department of the Treasury requirements at DO.\n    6. Vulnerability scanning and remediation was not performed in accordance with\n        Department of the Treasury requirements at FMS, United States Mint (Mint), DO, BPD,\n        and OCC.\n    7. Contingency planning and testing controls were not fully implemented or operating as\n        designed at DO and FMS.\n    8. Backup controls were not in place or were not operating as designed at BPD and\n        Community Development Financial Institution (CDFI) Fund.\n    9. System configuration settings were not implemented properly at DO and OCC.\n    10. System baselines were not documented properly at BPD, FMS, and FinCEN.\n    11. Multifactor authentication was not implemented at FMS.\n\nWe have made 31 recommendations related to these control deficiencies that, if addressed by\nmanagement, will strengthen the respective bureaus, offices, and the Department of the\nTreasury\xe2\x80\x99s information security program. In a written response, the Treasury Chief Information\nOfficer (CIO) agreed with our findings and recommendations and provided corrective action\nplans (see Management Response). The Department of Treasury\xe2\x80\x99s planned corrective actions are\nresponsive to the intent of our recommendations. We tested controls for the period July 1, 2011\n\n\n\n\n                                                                                          Page 2\n\x0cto June 30, 2012. We caution that projecting the results of our audit to future periods is subject to\nthe risks that controls may become inadequate because of changes in technology or because\ncompliance with controls may deteriorate.\n\nAppendix I describes the FISMA audit\xe2\x80\x99s objective, scope, and methodology. Appendix II, Status\nof Prior-Year Findings, summarizes the Department of the Treasury\xe2\x80\x99s progress in addressing\nprior-year recommendations. Appendix III provides The Department of the Treasury\xe2\x80\x99s\nConsolidated Response to DHS\xe2\x80\x99s FISMA 2012 Questions for Inspectors General. Appendix IV,\nApproach to Selection of Subset of Systems, describes how we selected systems for review.\nAppendix V, Selected Security Control Classes and Families, describes the selected NIST SP\n800-53, Rev. 3, security controls reviewed for each of the selected systems. Appendix VI\nsummarizes IT security findings identified from the Department of the Treasury\xe2\x80\x99s financial\nstatement audit at non-IRS bureaus that impact FISMA compliance, and Appendix VII contains\na glossary of terms used in this report.\n\nSincerely,\n\n\n\n\nNovember 7, 2012\n\n\n\n\n                                                                                             Page 3\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\nBACKGROUND\nFederal Information Security Management Act (FISMA)\n\nTitle III of the E-Government Act of 2002 (the Act), commonly referred to as FISMA, focuses on\nimproving oversight of federal information security programs and facilitating progress in correcting\nagency information security weaknesses. FISMA requires federal agencies to develop, document, and\nimplement an agency-wide information security program that provides security for the information and\ninformation systems that support the operations and assets of the agency, including those provided or\nmanaged by another agency, contractor, or other source. The Act assigns specific responsibilities to\nagency heads and Inspectors General (IGs) in complying with requirements of FISMA. The Act is\nsupported by Office of Management and Budget (OMB), agency security policy, and risk-based standards\nand guidelines published by National Institute of Standards and Technology (NIST) related to information\nsecurity practices.\n\nUnder FISMA, agency heads are responsible for providing information security protections\ncommensurate with the risk and magnitude of harm resulting from the unauthorized access, use,\ndisclosure, disruption, modification, or destruction of information and information systems. Agency heads\nare also responsible for complying with the requirements of FISMA and related OMB policies and NIST\nprocedures, standards, and guidelines. FISMA directs federal agencies to report annually to the OMB\nDirector, Comptroller General, and selected congressional committees on the adequacy and effectiveness\nof agency information security policies, procedures, and practices and compliance with FISMA. OMB has\ndelegated some responsibility to the Department of Homeland Security (DHS) in memorandum M-10-28,\nClarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the\nDepartment of Homeland Security, for the operational aspects of Federal cyber security, such as\nestablishing government-wide incident response and operating the tool to collect FISMA metrics. In\naddition, FISMA requires agencies to have an annual independent evaluation performed of their\ninformation security programs and practices and to report the evaluation results to OMB. FISMA states\nthat the independent evaluation is to be performed by the agency IG or an independent external auditor as\ndetermined by the IG.\n\nFederal Standards and Guidelines\n\nOMB has directed agencies to use NIST Federal Information Processing Standards (FIPS) Publication\n199, Security Categorization of Federal Information and Information Systems, to apply a security\ncategorization rating to an information system. This rating is assigned to an information system based on\nan evaluation of its confidentiality, integrity, and availability.\n\nOMB has further directed that agencies use NIST FIPS Publication 200, Minimum Security Requirements\nfor Federal Information and Information Systems, in order to apply a security controls baseline to the\ninformation system, based on the FIPS Publication 199 categorization. FIPS Publication 200 specifies the\nminimum security requirements for the information system and provides a risk-based process for\ndetermining the minimum security controls necessary for the information system. In addition, FIPS\nPublication 200 specifies 18 controls families that must be addressed when implementing security\ncontrols commensurate with the FIPS Publication 199 security categorization of the system.\n\nNIST Special Publication (SP) 800-53, Revision (Rev.) 3, Recommended Security Controls for Federal\nInformation Systems and Organizations, further defines the 18 controls families outlined in FIPS\nPublication 200, by defining the minimum set of security controls for non-national security systems of all\nFederal agencies. NIST SP 800-53, Rev. 3, then divides the 18 controls families into three control classes\n(management, operational, and technical security controls). Management controls are the safeguards or\n\n\n                                                                                                   Page 4\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\ncountermeasures, related to an information system, which focus on the management of risk and system\nsecurity. Operational controls are the safeguards and countermeasures for an information system, but are\nprimarily implemented and executed by individuals (as opposed to information systems). Technical\ncontrols are also the safeguards or countermeasures for an information system, but are primarily\nimplemented and executed by the system through mechanisms contained in the hardware, software, or\nfirmware components of the system. Table 1 details the security control classes and families.\n\n                           Table 1: Security Control Classes and Families\n\n\n            Security Control Class                   Security Control Family\n                                         Planning\n                                         Program Management\n            Management                   Risk Assessment\n                                         Security Assessment and Authorization\n                                         System and Services Acquisition\n                                         Awareness and Training\n                                         Configuration Management\n                                         Contingency Planning\n                                         Incident Response\n            Operational                  Maintenance\n                                         Media Protection\n                                         Personnel Security\n                                         Physical and Environmental Protection\n                                         System and Information Integrity\n                                         Access Control\n                                         Audit and Accountability\n            Technical\n                                         Identification and Authentication\n                                         System and Communications Protection\n                                 Source: NIST Special Publication 800-53 Revision 3\n\n\nDepartment of the Treasury Bureaus/Offices (Bureaus)\n\nThe Department of the Treasury consists of 13 operating bureaus and offices, including:\n\n     1. Alcohol and Tobacco Tax and Trade Bureau (TTB) \xe2\x80\x93 Responsible for enforcing and\n        administering laws covering the production, use, and distribution of alcohol and tobacco\n        products. TTB also collects excise taxes for firearms and ammunition.\n     2. Bureau of Engraving and Printing (BEP) \xe2\x80\x93 Designs and manufactures United States paper\n        currency, securities, and other official certificates and awards.\n     3. Bureau of the Public Debt (BPD) \xe2\x80\x93 Borrows the money needed to operate the Federal\n        government. It administers the public debt by issuing and servicing United States Department of\n        the Treasury marketable, savings, and special securities.\n     4. Community Development Financial Institution (CDFI) Fund \xe2\x80\x93 Created to expand the\n        availability of credit, investment capital, and financial services in distressed urban and rural\n        communities.\n\n\n\n                                                                                                 Page 5\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n     5. Departmental Offices (DO) \xe2\x80\x93 Primarily responsible for policy formulation. The DO, while not\n         a formal bureau, is composed of divisions headed by Assistant Secretaries, some of whom\n         report to Under Secretaries. These offices include domestic finance, economic policy, General\n         Council, International Affairs, Legislative Affairs, Management, Public Affairs, Tax Policy, and\n         Terrorism and Finance Intelligence. The Office of Cybersecurity, within the Office of\n         Management, is responsible for the development of information technology (IT) Security\n         Policy.\n     6. Financial Crimes Enforcement Network (FinCEN) \xe2\x80\x93 Supports law enforcement investigative\n         efforts and fosters interagency and global cooperation against domestic and international\n         financial crimes. It also provides United States policy makers with strategic analyses of\n         domestic and worldwide trends and patterns.\n     7. Financial Management Service (FMS) \xe2\x80\x93 Receives and disburses all public monies, maintains\n         government accounts, and prepares daily and monthly reports on the status of government\n         finances.\n     8. Internal Revenue Service (IRS) \xe2\x80\x93 Responsible for determining, assessing, and collecting\n         internal revenue in the United States.\n     9. Office of the Comptroller of the Currency (OCC) \xe2\x80\x93 Charters, regulates, and supervises\n         national banks and thrift institutions to ensure a safe, sound, and competitive banking system\n         that supports the citizens, communities, and economy of the United States.\n     10. Office of the Inspector General (OIG) \xe2\x80\x93 Conducts and supervises audits and investigations of\n         the Department of the Treasury programs and operations. The OIG also keeps the Secretary and\n         the Congress fully and currently informed about problems, abuses, and deficiencies in the\n         Department of the Treasury programs and operations.\n     11. United States Mint (Mint) \xe2\x80\x93 Designs and manufactures domestic, bullion, and foreign coins as\n         well as commemorative medals and other numismatic items. The Mint also distributes United\n         States coins to the Federal Reserve banks as well as maintains physical custody and protection\n         of our nation\xe2\x80\x99s silver and gold assets.\n     12. Special Inspector General for the Troubled Asset Relief Program (SIGTARP) \xe2\x80\x93 Has the\n         responsibility to conduct, supervise, and coordinate audits and investigations of the purchase,\n         management, and sale of assets under the Troubled Asset Relief Program (TARP). SIGTARP\xe2\x80\x99s\n         goal is to promote economic stability by assiduously protecting the interests of those who fund\n         the TARP programs (i.e., the American taxpayers).\n     13. Treasury Inspector General for Tax Administration (TIGTA) \xe2\x80\x93 Conducts and supervises\n         audits and investigations of IRS programs and operations. The TIGTA also keeps the Secretary\n         and the Congress fully and currently informed about problems, abuses, and deficiencies in IRS\n         programs and operations.\n\nThe scope of our 2012 FISMA audit did not include the IRS, which was audited by TIGTA. The TIGTA\nreport will be appended to this report and the findings of that report will be incorporated within Appendix\nIII, The Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2012 Questions for\nInspectors General.\n\nDepartment of the Treasury Information Security Management Program\n\nTreasury Office of the Chief Information Officer (OCIO)\n\nThe Treasury Chief Information Officer (CIO) is responsible for providing Treasury-wide leadership and\ndirection for all areas of information and technology management, as well as the oversight of a number of\nIT programs. Among these programs is Cyber Security, which has responsibility for the implementation\nand management of Treasury-wide IT security programs and practices. Through its mission, the OCIO\nCyber Security Program develops and implements IT security policies and provides policy compliance\n\n\n                                                                                                    Page 6\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\noversight for both unclassified and classified systems managed by each of the Department of the\nTreasury\xe2\x80\x99s bureaus. The OCIO Cyber Security Program\xe2\x80\x99s mission focuses on the following areas:\n\n   1. Cyber Security Policy \xe2\x80\x93 Manages and coordinates the Departmental cyber security policy for\n      sensitive (unclassified) systems throughout the Department of the Treasury, assuring these\n      policies and requirements are updated to address today\xe2\x80\x99s threat environment, and conducts\n      program performance, progress monitoring, and analysis.\n   2. Performance Monitoring and Reporting \xe2\x80\x93 Implements collection of Federal and Department of\n      the Treasury-specific security measures and reports those to national authorities and in appropriate\n      summary or dashboard form to senior management, IT managers, security officials, and Bureau\n      officials. For example, this includes preparation and submission of the annual FISMA report and\n      more frequent continuous monitoring information through CyberScope.\n   3. Cyber Security Reviews \xe2\x80\x93 Conducts technical and program reviews to help strengthen the\n      overall cyber security posture of the Department of the Treasury and meet their oversight\n      responsibilities.\n   4. Enterprise-wide Security \xe2\x80\x93 Works with the Bureaus\xe2\x80\x99 and the Department of the Treasury\xe2\x80\x99s\n      Government Security Operations Center to deploy new Department of the Treasury-wide\n      capabilities or integrate those already in place, as appropriate, to strengthen the overall protection\n      of the Department of the Treasury. Examples include implementation of Domain Name System\n      Security Extensions, an automated asset inventory, and Department of the Treasury-wide security-\n      related audit findings. Includes addressing the Department of the Treasury\xe2\x80\x99s strategies and plans\n      to mitigate cyber security risks from configuration and other vulnerabilities.\n   5. Understanding Security Risks and Opportunities from New Technologies \xe2\x80\x93 New information\n      and security technologies present both risks (e.g., introduction of new vulnerabilities) and\n      opportunities (e.g., new means to provide secure and original functionality for users). OCIO seeks\n      to understand these technologies, their associated risks and opportunities, and share and use that\n      information to the Department of the Treasury\xe2\x80\x99s advantage. Vulnerability Analysis, Configuration\n      and Planning analyzes current and emerging technologies and Cyber Critical Infrastructure\n      Protection. Implements cyber-related requirements of Homeland Security Presidential Directive\n      No. 7, \xe2\x80\x9cCritical Infrastructure Identification, Prioritization, and Protection,\xe2\x80\x9d focusing on the\n      protection of Department of the Treasury-owned cyber assets.\n   6. Treasury Computer Security Incident Response Capability (TCSIRC) \xe2\x80\x93 Provides incident\n      reporting with external reporting entities and conducts performance monitoring and analyses of\n      Computer Security Incident Response Center (CSIRC) within the Department of the Treasury.\n   7. National Security Systems \xe2\x80\x93 Manages and coordinates the Department of the Treasury-wide\n      program to address the cyber security requirements of national security systems through the\n      development of policy and program or technical security performance reviews.\n   8. Cyber Security Sub-Council (CSS) of the CIO Council \xe2\x80\x93 Operates to serve as the formal means\n      for gaining bureau input and advice as new policies are developed, enterprise-wide activities are\n      considered, and performance measures are developed and implemented; provides a structured\n      means for information-sharing among the bureaus.\n\nThe CIO has tasked the Associate Chief Information Officer for Cyber Security (ACIOCS) with the\nresponsibility of managing and directing the OCIO\xe2\x80\x99s Cyber Security program, as well as ensuring\ncompliance with statutes, regulations, policies, and guidance. The ACIOCS and the Cyber Security\nProgram have established Treasury Directive Publication (TD P) 85-01 Volume I, Treasury Information\nTechnology Security Program, as the Department of the Treasury IT security policy to provide for\ninformation security for all information and information systems that support the mission of the\nDepartment of the Treasury, including those operated by another Federal agency or contractor on behalf\nof the Department of the Treasury. In addition, as OMB periodically releases updates/clarifications of\nFISMA or as NIST releases updates to publications, the ACIOCS and the Cyber Security Program have\n\n\n                                                                                                     Page 7\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\nresponsibility to interpret and release updated policy for the Department of the Treasury. The ACIOCS\nand the Cyber Security Program are also responsible for promoting and coordinating a Department of the\nTreasury IT security program, as well as monitoring and evaluating the status of Department of the\nTreasury\xe2\x80\x99s IT security posture and compliance with statutes, regulations, policies, and guidance. Lastly,\nthe ACIOCS has the responsibility of managing Department of the Treasury\xe2\x80\x99s IT Critical Infrastructure\nProtection (CIP) program for Department of the Treasury IT assets.\n\nBureau CIOs\n\nOrganizationally, the Department of the Treasury has established bureau-level and office (bureau) CIOs.\nThe CIOs are responsible for managing the IT security program for their bureau, as well as advising the\nbureau head on significant issues related to the bureau IT security program. The CIOs also have the\nresponsibility for overseeing the development of procedures that comply with Treasury OCIO policy and\nguidance and federal statutes, regulations, policy, and guidance. The bureau Chief Information Security\nOfficers (CISO) are tasked by their respective CIOs to serve as the central point of contact for the\nbureau\xe2\x80\x99s IT security program, as well as to develop and oversee the bureau\xe2\x80\x99s IT security program. This\nincludes the development of policies, procedures, and guidance required to implement and monitor the\nbureau IT security program.\n\nDepartment of the Treasury \xe2\x80\x93 Bureau OCIO Collaboration\n\nThe Department of the Treasury OCIO has established the CIO CSS, which is co-chaired by the ACIOCS\nand a bureau CIO. The CSS serves as a mechanism for obtaining bureau-level input and advises on new\npolicies, Department of the Treasury IT security activities, and performance measures. The CSS also\nprovides a means for sharing IT security-related information among bureaus. Included on the CSS are\nrepresentatives from the OCIO and bureau CIO organizations.\n\n\n\n\n                                                                                                  Page 8\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\nOVERALL AUDIT RESULTS\n\nWe concluded that the Department of the Treasury\xe2\x80\x99s information security program and practices for its\nnon-IRS bureaus\xe2\x80\x99 unclassified systems were generally consistent 1 with the FISMA legislation and related\ninformation security policies, standards, and guidelines. However, they were not fully effective, resulting\nin the identification of 11 categories of control weaknesses and 31 recommendations that the bureaus,\noffices, and the Department of the Treasury should address to strengthen their information security\nmanagement programs. The Findings section of this report presents the detailed findings and associated\nrecommendations. In a written response to this report, the Treasury CIO agreed with our findings and\nrecommendations and provided corrective action plans (see Management Response). The Department of\nTreasury\xe2\x80\x99s planned corrective actions are responsive to the intent of our recommendations.\n\nAdditionally, we evaluated all prior-year findings from the fiscal year (FY) 2011 FISMA Performance\nAudit and noted that 20 of 28 findings had been closed by management. For 3 of the 28 findings, we were\nunable to test the implementation of the findings in time by our end of fieldwork date, June 30, 2012. For\nthese findings, we noted that they are closed but untested and should be evaluated as part of the FY 2013\nindependent evaluation. See Appendix II, Status of Prior-Year Findings, for additional details.\n\nSummaries of the 11 categories of control weaknesses follow:\n\n            1. Logical account management activities were not in place or not consistently performed\n               by BPD, TTB, DO, OCC, and FinCEN.\n\n                Logical account management activities were not in place or activities, such as disabling\n                accounts of users that no longer need access and documenting of access approvals, were not\n                consistently performed at BPD, TTB, DO, OCC, and FinCEN. By not establishing and\n                consistently performing access management activities, there is an increased risk that\n                potentially unauthorized access, disclosure, and changes could occur within the IT\n                infrastructure.\n\n            2. Security incidents were not reported in a timely manner at BEP, BPD, and FinCEN.\n\n                There were untimely reporting of incidents at BEP, BPD, and FinCEN. These bureaus had\n                United States Computer Emergency Readiness Team (US-CERT) Category (CAT) 1 security\n                incidents that were reported after the timelines had lapsed. By not reporting security incidents\n                in a timely manner, these bureaus increased the risk posed to their information systems while\n                the incidents were unreported.\n\n            3. System security plans at OCC and FMS did not fully document all security controls\n               from NIST SP 800-53 Rev. 3, and one SSP for FinCEN was not updated to address\n               weaknesses identified in the security assessments.\n\n                OCC and FMS relied on system security plans (SSP) that did not contain all of the security\n                controls required by NIST SP 800-53, Rev. 3, and FinCEN had not updated an SSP to reflect\n                and address self-identified control weaknesses. NIST SP 800-53, Rev. 3, was issued in\n                August 2009, and agencies were required to implement this guidance one year after issuance.\n                Failing to select the proper baseline of security controls, or failing to document the results of\n                a risk assessment within a system\xe2\x80\x99s SSP, impacts subsequent security activities in the NIST\n\n1\n    TIGTA will provide a separate report evaluating the IRS\xe2\x80\x99s implementation of the Department of the Treasury\xe2\x80\x99s information\n     security program.\n\n\n                                                                                                                        Page 9\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n          Risk Management Framework. Therefore, system security controls may not appropriately or\n          sufficiently protect the confidentiality, integrity, and availability of sensitive bureau\n          information.\n\n       4. Audit logs were not sufficiently reviewed by FMS and DO in accordance with NIST and\n          Department of the Treasury requirements.\n\n          FMS and DO did not fully implement NIST auditing and accountability controls as required\n          by NIST and Treasury guidance. By not identifying and reviewing significant audit events,\n          system owners may be unable to identify and mitigate all significant threats to the information\n          system. This could cause Treasury personnel to remain unaware of security incidents that\n          have already taken place, leaving the system in a compromised state for an extended period.\n\n       5. Plans of Action and Milestones (POA&Ms) were not tracked in accordance with NIST\n          and Department of the Treasury requirements at DO.\n\n          DO did not fully implement POA&M controls as required by NIST and Treasury guidance.\n          By not timely recording and updating identified security weaknesses in their respective\n          systems, DO and Treasury management would not be able to exercise their oversight\n          responsibilities to modify funding levels, human resources, and requested priorities in\n          response to identified security weaknesses.\n\n       6. Vulnerability scanning and remediation was not performed in accordance with\n          Treasury requirements at FMS, Mint, DO, BPD, and OCC.\n\n          FMS, Mint, DO, BPD, and OCC did not fully implement NIST vulnerability scanning and\n          flaw remediation controls as required by NIST and Department of the Treasury guidance.\n          Without knowledge of missing security patches, insecure configurations, or application\n          vulnerabilities, Department of the Treasury bureaus could not take steps to mitigate potential\n          vulnerabilities in their information systems. Additionally, lack of timely remediation of\n          vulnerabilities can result in systems being compromised.\n\n       7. Contingency planning and testing controls were not fully implemented or operating as\n          designed at DO and FMS.\n\n          DO and FMS did not fully implement contingency planning and testing controls as required\n          by NIST and Department of the Treasury guidance. Disaster failover tests are paramount in\n          assuring that in emergencies, systems can recover with the least amount of down time\n          possible. Failure to appropriately test contingency plans could result in the unavailability of\n          critical Department of the Treasury information and information systems in the event of a\n          disaster.\n\n       8. Backup controls were not in place or were not operating as designed at BPD and CDFI\n          Fund.\n\n          Backup controls were not in place at BPD and that CDFI Fund did not fully implement\n          backup controls as required by NIST and Department of the Treasury guidance. A lack of\n          frequent, successful backups can have a significant negative effect on Treasury information\n          systems if a disaster (i.e., hard-drive failure, natural disaster, or national emergency) were to\n          occur. Data that has not been stored off-site on tape or other media could be lost if a disaster\n          were to occur.\n\n\n                                                                                                  Page 10\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n\n       9. System configuration settings were not implemented properly at DO and OCC.\n\n          DO and OCC lacked sufficient implemented settings as required by TD P 85-01 Volume I.\n          The bureaus self-identified multiple settings that were not in place and that there was\n          no one specific or one overall trend. By not adequately implementing restrictive\n          configuration settings, Treasury bureaus increase the risk of malicious attacks to their\n          systems.\n\n       10. System baselines were not documented properly at BPD, FMS, and FinCEN.\n\n          BPD, FMS, and FinCEN lacked sufficient baseline documentation as required by TD P 85-01\n          Volume I. By not adequately documenting configuration baselines, Department of the\n          Treasury bureaus are susceptible to risks when new security threats emerge or system\n          hardware and software is changed.\n\n       11. Multifactor authentication was not implemented at FMS.\n\n          A selected FMS system lacked sufficient multifactor authentication as required by NIST\n          guidance. Multifactor authentication provides an additional level of security for accounts to\n          prevent unauthorized access within the IT infrastructure.\n\n\n\n\n                                                                                               Page 11\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\nFINDINGS\n\n1. Logical account management activities were not in place or were not consistently\n   performed by the bureaus at BPD, TTB, DO, OCC, and FinCEN\n\n   We identified an inconsistent implementation of logical access controls at BPD, TTB, DO, OCC, and\n   FinCEN. We noted the following:\n\n       1. For the two selected BPD systems, BPD management could not provide sufficient supporting\n          documentation evidencing the users\xe2\x80\x99 last log-on date or time. As a result, we were unable to\n          test the operating effectiveness of the controls over whether inactive users are disabled. (See\n          Recommendations #1 and #2.)\n\n       2. Account management activities were not consistently performed as required by TD P 85-01\n          Volume I, Treasury Information Technology Security Program, and bureau-specific policies\n          at TTB, OCC, FinCEN, and DO.\n          \xe2\x80\xa2 TTB had three active user accounts that should have had access revoked. One account, a\n               test account, had last logged in on March 22, 2012 and the account was not deactivated\n               after 60 days of inactivity. Another account was for an individual who had separated in\n               July 2011 but still had an enabled account. Additionally, there was a separated individual\n               whose account was still active 20 days after her departure. TTB management explained\n               that it did not have an automated mechanism to disable inactive accounts due to a\n               technical limitation; therefore, some user accounts were not properly disabled in a timely\n               manner. Additionally, TTB stated that access removal for separated employees was a\n               manual process by each employee\xe2\x80\x99s supervisor and that human error occurred. (See\n               Recommendations #3 and #4.)\n          \xe2\x80\xa2 For a selected DO system, DO management did not formally document and maintain\n               access request forms for privileged user accounts. This was self-discovered during the\n               systems continuous monitoring test performed in June 2012. While there was a\n               documented corrective action plan in the continuous monitoring report, there was not an\n               updated POA&M item during the FISMA year. (See Recommendation #5.)\n          \xe2\x80\xa2 OCC did not incorporate all general support system user accounts of Office of Thrift\n              Supervision (OTS), the bureau that OCC partially took over last year, as part of its access\n              review process. When OTS migrated to OCC, most of the accounts were changed from\n              OTS accounts to OCC accounts. Fourteen users were not transferred over. OCC noticed\n              this when they did their account review and created a POA&M to remediate it. This was a\n              self-reported finding and documented within OCC\xe2\x80\x99s POA&M report in the Trusted Agent\n              FISMA (TAF) system and scheduled to be corrected on July 31, 2012.\n          \xe2\x80\xa2 A selected FinCEN system had a user account on the database that had unnecessary access\n              permissions. We noted this was due to database accounts not being sufficiently reviewed\n              for access privileges. This was a self-identified weakness as a result of FinCEN\xe2\x80\x99s security\n              assessment and authorization and scheduled to be corrected on January 14, 2013.\n\n   These control deficiencies demonstrate that these bureaus did not appropriately implement policies\n   for reviewing user access, disabling or deleting inappropriate user access, and following NIST\xe2\x80\x99s\n   concept of least privilege.\n\n   By failing to disable the accounts of separated users or inactive users promptly, and by not\n   implementing a periodic review of all user and administrator accounts for inactivity or permissions,\n\n\n\n\n                                                                                                Page 12\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n   there is an increased risk that users could gain or retain unauthorized access and/or modify production\n   data on their respective systems or the network\n\n   We recommend that BPD management:\n\n       1. For both selected systems, develop or acquire additional system capability that generates user\n          lists with last log-on dates so that inactive users are automatically disabled in a timely\n          manner.\n\n       2. For both selected systems, in the absence of a long-term system capability solution, perform\n          manual monthly reviews of all system user accounts and disable or delete accounts that no\n          longer need access.\n\n   We recommend that TTB management:\n\n       3. Implement an automated mechanism, a script, or manual review process to ensure inactive\n          accounts are disabled after 60 days of inactivity.\n\n       4. Ensure that supervisors are aware of their responsibilities to remove the access of separated\n          employees.\n\n   We recommend that DO management:\n\n       5. Include the corrective action plans from the selected system\xe2\x80\x99s continuous monitoring report\n          into a POA&M item.\n\n   Based on the planned corrective actions for OCC and FinCEN, we are not making additional\n   recommendations.\n\n2. Security incidents were not reported in a timely manner at BEP, BPD, and FinCEN\n\n   Department of the Treasury bureaus are required to submit all security incidents to the TCSIRC\n   within specified time frames categorized by incident severity. The audit identified incidents that were\n   reported later than the US-CERT and Department of the Treasury recommended guidelines at BEP,\n   BPD, and FinCEN. We noted that all three bureaus reported CAT 1 security incidents later than the\n   deadlines required by TD P 85-01 Volume I, which takes its guidance from US-CERT. Specifically,\n   we noted the following:\n\n       \xe2\x80\xa2   BEP did not report 3 of the 15 sampled security incidents to TCSIRC within the one-hour\n           time period required for a CAT 1 incident. Specifically, one incident was reported 50 minutes\n           late, one incident was reported 65 minutes late, and another incident was not reported until\n           seven days after identification. BEP Help Desk reports incidents to the designated BEP\n           Incident Coordinator, who then forwards the reported incident to the BEP CSIRC\n           Management Team. This two-step process caused delays with the submission of the security\n           incident to TCSIRC within BEP\xe2\x80\x99s documented time frames. Additionally, not all Help Desk\n           members had been fully trained to respond to security incidents and properly report them to\n           the BEP CSIRC Management Team. (See Recommendations #6 and #7.)\n       \xe2\x80\xa2   BPD did not report one out of three security incidents within the required one-hour time\n           period for a CAT 1 incident (the incident took 14 hours to report). The delay was caused by\n           BPD\xe2\x80\x99s reliance on United Parcel Service (UPS) to verify the status of a missing package.\n\n\n\n                                                                                                 Page 13\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n           BPD followed UPS\xe2\x80\x99s advice and waited until the following day when the next UPS delivery\n           was made to ensure that the package was truly lost. (See Recommendations #8 and #9.)\n       \xe2\x80\xa2   FinCEN did not report 1 of the 12 incidents to TCSIRC within the required one-hour time\n           period for a CAT 1. Specifically, the incident was reported 69 hours after identification.\n           There was only one person responsible for FinCEN\xe2\x80\x99s CSIRC reporting, and the incident\n           occurred when this person was out of the office, which delayed reporting until he returned. At\n           the time, there were no backup CSIRC personnel. (See Recommendation #10.)\n\n   By not reporting security incidents in a timely manner, these bureaus increase the risk of unauthorized\n   access, or denial of service attacks, posed to their information system while the incident remains\n   unreported. Additionally, by not reporting incidents, the bureaus can impair the TCSIRC\xe2\x80\x99s and the\n   US-CERT\xe2\x80\x99s ability to track, analyze, and act on aggregated incident data.\n\n   We recommend that BEP management:\n\n       6. Revise the current Incident Response reporting process and written procedures to have the\n          Help Desk send all incidents to the CSIRC group as opposed to the BEP Incident\n          Coordinator.\n\n       7. Provide additional training to the Help Desk team members regarding BEP\xe2\x80\x99s incident\n          response policies and procedures to ensure they are consistently implemented. Additional\n          training for Help Desk personnel should include the same curriculum used by BEP CSIRC\n          management team members to allow for better understanding of the incident reporting\n          process.\n\n   We recommend that BPD management:\n\n       8. Ensure that BPD\xe2\x80\x99s CSIRC report all CAT 1 incidents to US-CERT within one hour\n          regardless of any additional procedures (follow- up, confirmation, or additional feedback\n          from third party) performed by CSIRC personnel.\n\n       9. Provide additional training to the BPD\xe2\x80\x99s CSIRC management team regarding BPD\xe2\x80\x99s incident\n          response policies and procedures to ensure that all incidents are reported in time regardless of\n          reliance on third parties to confirm incident.\n\n   We recommend that FinCEN management:\n\n       10. Evaluate its current CSIRC capability for collecting and submitting incident responses and\n           implement backup CSIRC personnel to ensure that incident response tickets are handled in a\n           timely fashion.\n\n\n\n\n                                                                                                 Page 14\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n3. System security plans at OCC and FMS did not fully document all security controls\n   from NIST SP 800-53, Rev. 3, and one SSP for FinCEN was not updated to address\n   weaknesses identified in the security assessments\n\n   NIST and Department of the Treasury guidance require that Department of the Treasury SSPs remain\n   up-to-date and current with the NIST Risk Management Framework and required NIST SP 800-53,\n   Rev. 3, security controls. Specifically, we noted that:\n\n   \xe2\x80\xa2   The two selected information systems from OCC did not include all required security controls in\n       areas such as access control, audit and accountability, contingency planning, identification and\n       authentication, maintenance, media protection, system and communications protection, and\n       system and information integrity, as specified in NIST SP 800-53, Rev. 3. We noted that the\n       conditions cited above occurred because OCC management did not perform an adequate review\n       of the two selected systems\xe2\x80\x99 SSPs and overlooked the lack of these controls and control\n       enhancements when updating the SSPs. (See Recommendations #11 and #12.)\n   \xe2\x80\xa2   The SSP for a selected FMS system did not reflect the current and primary source of backups for\n       the application. FMS management stated that the error was due to a management oversight when\n       updating the SSP. (See Recommendation #13.)\n   \xe2\x80\xa2   FinCEN\xe2\x80\x99s SSP for the selected system did not reflect the results of their latest Security\n       Assessment and Authorization, which required certain controls to be updated to reflect self-\n       identified weaknesses. It was noted that this was a self-reported finding and was listed as a\n       POA&M with the TAF system with an estimated date of completion of January 14, 2013.\n\n   Failing to document an up-to-date baseline of security controls may have a negative effect on\n   subsequent security activities. Specifically, OCC, FinCEN, and FMS may not be able to properly\n   implement, assess, authorize, and monitor the security controls for the selected systems; therefore, the\n   system security controls may not be sufficient to protect the confidentiality, integrity, and availability\n   of sensitive bureau information.\n\n   We recommend that OCC management:\n\n       11. For both selected systems, update the SSP to address and reference all the NIST SP 800-53,\n           Rev. 3, security controls and control enhancements for a Moderate baseline.\n\n       12. For both selected systems, ensure management conducts an adequate review of the SSPs to\n           ensure that it includes applicable NIST SP 800-53, Rev. 3, controls.\n\n   We recommend that FMS management:\n\n       13. Update the selected system\xe2\x80\x99s SSP to reflect the current and primary source of backups for the\n           application.\n\n   Based on the planned corrective actions for FinCEN, we are not making a recommendation.\n\n4. Audit logs were not sufficiently reviewed by FMS and DO in accordance with NIST and\n   Department of the Treasury requirements\n\n   NIST SP 800-53, Rev. 3, and TD P 85-01 Volume I require that government information systems\n   owners and security managers identify and review significant auditable events in order to protect the\n   confidentiality, integrity, and availability of the information system. These audit logs need to be\n\n\n                                                                                                    Page 15\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n   generated and reviewed by IT personnel on a regular basis if security incidents are to be discovered\n   and acted upon in a timely manner and should be appropriately stored for security and historical\n   purposes. We noted the following:\n\n       \xe2\x80\xa2   A selected FMS system\xe2\x80\x99s audit capabilities and functions did not adhere to the Fiscal Service\n           Baseline Services Requirements (BLSR) and NIST SP 800-53, Rev. 3, guidance as required\n           for HIGH categorized systems. Specifically, it did not have any automated capabilities or any\n           supporting processes to log and monitor security-relevant events. When designing the system,\n           FMS management did not adequately identify requirements and provide capabilities to log\n           and monitor security-related events. In addition, management did not establish a robust\n           monitoring process to support the review and follow-up of selected auditable events, and\n           management did not document within their system security plan specific security-related\n           events that will be monitored on an ongoing basis. (See Recommendations #14, #15, and\n           #16.)\n       \xe2\x80\xa2   A selected DO system lacked a process to review audit records. DO management self-\n           identified this weakness during a continuous monitoring assessment in June 2012. While\n           there was a documented corrective action plan in the continuous monitoring report, there was\n           not an updated POA&M item during the FISMA year. (See Recommendation #17.)\n\n   By not adhering to NIST guidance over audit log review policies, IT security personnel would be\n   unable to identify and mitigate significant threats to the information system. Additionally, this could\n   cause Department of the Treasury personnel to remain unaware of security incidents that have already\n   taken place, leaving the system in a compromised state for an extended period.\n\n   We recommend that FMS management:\n\n       14. Enhance the selected system audit capabilities to capture security-related events as prescribed\n           by the BLSR and NIST SP 800-53 guidance.\n\n       15. Establish a clear oversight process to review the security-related events and ensure\n           appropriate follow-up action is taken as prescribed by the BLSR and NIST SP 800-53.\n\n       16. Update the selected system\xe2\x80\x99s system security plan to document security-related events that\n           need to be monitored as prescribed by the BLSR.\n\n   We recommend that DO management:\n\n       17. Include the corrective action plans from the selected system\xe2\x80\x99s continuous monitoring report\n           into a POA&M item.\n\n5. POA&Ms were not tracked in accordance with NIST and Department of the Treasury\n   requirements at DO\n\n   Department of the Treasury has provided guidance on POA&M creation and tracking through TD P\n   85-01 Volume I. This policy requires Department of the Treasury bureaus to maintain POA&Ms in\n   order to help remedy weaknesses identified through audits, security assessments, and other risk\n   management activities. POA&Ms document the responsible parties, time frames for mitigation, and\n   additional necessary resources. We noted that a selected DO system had multiple identified\n   weaknesses identified in the June 2012 continuous monitoring test report that were not documented in\n   the system POA&M. DO bureau policy requires that POA&Ms be inputted 30 days after the\n\n\n\n                                                                                                 Page 16\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n   weaknesses are initially identified. The lack of these findings being added to the POA&M was an\n   oversight by DO management when updating the system POA&M. (See Recommendations #18 and\n   #19.)\n\n   By not recording identified information security weaknesses in POA&Ms, these weaknesses may not\n   be addressed in a timely manner and subsequently be exploited by an attacker. Moreover, by not\n   timely recording and updating identified system security vulnerabilities in their POA&M, Department\n   of the Treasury bureaus\xe2\x80\x99 summary-level security metrics under-report the true number of known\n   security weaknesses to the Department of the Treasury OCIO. Additionally, senior Department of the\n   Treasury management would be unable to exercise its oversight responsibilities to adjust funding\n   levels, human resources, and requested priorities in response to identified security weaknesses.\n\n   We recommend that DO management:\n\n       18. Update the selected system POA&M with the findings and recommendations reported in the\n           system continuous monitoring test report.\n\n       19. Ensure the continuous monitoring test results and recommendations are captured within the\n           selected system POA&M within the 30-day required period.\n\n6. Vulnerability scanning and remediation was not performed in accordance with\n   Department of the Treasury requirements at FMS, Mint, DO, BPD, and OCC\n\n   TD P 85-01 Volume I and NIST SP 800-53, Rev. 3, require that bureaus conduct vulnerability\n   scanning of their IT assets at least monthly. Additionally, high-risk weaknesses identified in this way\n   are required to be remedied in a timely manner, or, if a vulnerability cannot be remedied in a timely\n   manner, tracked in a POA&M until the remediation actions are complete. We noted that five bureaus\n   did not implement Department of the Treasury policy adequately. Specifically, we noted the\n   following:\n\n       \xe2\x80\xa2   For a selected FMS system, FMS was unable to provide us with supporting documentation\n           confirming that vulnerability scans were being performed over the system\xe2\x80\x99s Internet Protocol\n           (IP) addresses. Therefore, we could not determine if vulnerability scans had been performed,\n           if any vulnerabilities were identified, and if any corresponding corrective actions or POA&M\n           had been implemented (See Recommendations #20 and 21.)\n       \xe2\x80\xa2   For a selected Mint system, the November 2011 vulnerability scan contained vulnerabilities\n           with a high risk rating that were not remedied prior to the March 2012 vulnerability scans.\n           The Mint POA&M report from TAF, generated in June 2012, did not reflect the open\n           vulnerabilities. These vulnerabilities were not properly remedied due to the Mint\xe2\x80\x99s\n           management decision to remediate noncritical vulnerabilities using a risk-based approach.\n           This risk-based approach did not address all noncritical vulnerabilities in a timely manner and\n           deviated from the Mint\xe2\x80\x99s vulnerability remediation policy, which requires noncritical patches\n           to be applies on a bimonthly basis. (See Recommendation #22.)\n       \xe2\x80\xa2   For the selected DO system, DO management identified multiple high-risk weaknesses in\n           vulnerability scans and missing scans for database components during DO\xe2\x80\x99s continuous\n           monitoring assessment in 2012. While a documented corrective action plan was established in\n           the continuous monitoring report, the weaknesses were not recorded in the POA&M during\n           the FISMA year. (See Recommendation #23.)\n       \xe2\x80\xa2   For both selected BPD systems, BPD management identified that there were insufficient\n           procedures over vulnerability remediation in place. This was a self-reported finding and\n\n\n\n                                                                                                 Page 17\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n           documented within BPD\xe2\x80\x99s POA&M report on TAF. The POA&M item is scheduled to be\n           completed on June 30, 2013.\n       \xe2\x80\xa2   For both selected OCC systems, OCC management identified multiple high-risk weaknesses\n           in vulnerability scans that were not remediated. This was a self-reported finding and\n           documented within OCC\xe2\x80\x99s POA&M report on TAF. The POA&M item is scheduled to be\n           completed on August 15, 2012.\n\n   Without knowledge of missing security patches, insecure configurations, or application\n   vulnerabilities, Department of the Treasury bureaus might not take steps to mitigate potential\n   vulnerabilities in their information systems. These vulnerabilities could lead to their systems and/or\n   applications being compromised and sensitive information being released, altered, or deleted.\n\n   We recommend that FMS management:\n\n       20. Formally document the vulnerability scanning and flaw remediation processes for the Fiscal\n           Services organization and communicate the processes to affected field personnel.\n\n       21. Maintain a complete listing of hosts and IP addresses for the selected FMS system production\n           environment and document any changes to this listing, and retain enough supporting\n           documentation to confirm the accuracy of completed vulnerability scans.\n\n   We recommend that Mint management:\n\n       22. Follow their vulnerability remediation policy for all vulnerabilities, including older,\n           noncritical patches, to ensure that vulnerabilities are not missed in the remediation process.\n\n   We recommend that DO management:\n\n       23. Include the corrective action plans from the selected system\xe2\x80\x99s continuous monitoring report\n           into a POA&M item.\n\n   Based upon the planned correction actions for BPD and OCC, we are not making a recommendation.\n\n7. Contingency planning and testing controls were not fully implemented or operating as\n   designed at DO and FMS\n\n   Treasury guidance requires its bureaus to protect their information systems in the event of a disaster.\n   Bureaus must create plans for system recovery and test these plans. Two Treasury bureaus did not\n   fully implement contingency planning (planning and testing) controls as required by TD P 85-01\n   Volume I and NIST SP 800-53, Rev. 3, guidance. While these controls do not affect normal, daily\n   operations, they are invaluable in quickly recovering from a disaster or service interruption.\n   Specifically, we noted the following:\n\n       \xe2\x80\xa2   Contingency plan documentation for a selected DO system was not updated within the\n           FISMA year. Additionally, contingency plan testing was not performed for the system within\n           the FISMA year. DO management self-identified these weaknesses during a continuous\n           monitoring assessment in June 2012. While there was a documented corrective action plan in\n           the continuous monitoring report, there was not an updated POA&M item during the FISMA\n           year. (See Recommendation #24.)\n\n\n\n\n                                                                                                 Page 18\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n       \xe2\x80\xa2   For one selected FMS system, FMS management identified the contingency plan test was not\n           performed within the FISMA year. This was a self-reported finding and documented within\n           FMS\xe2\x80\x99s POA&M report on TAF, with an estimated completion date of August 30, 2012.\n       \xe2\x80\xa2   For another selected FMS system, FMS management identified one of three disaster recovery\n           exercise reconstitution test objectives was not completed during contingency plan testing.\n           This was a self-reported finding and documented within FMS\xe2\x80\x99s POA&M report on TAF, with\n           an estimated completion date of August 30, 2012.\n\n   Contingency plans and contingency plan testing, as required by NIST SP 800-34, are paramount in\n   assuring that Department of the Treasury information systems can remain operational with the least\n   amount of downtime possible in emergencies. Failure to appropriately test recovery capabilities could\n   result in the unavailability of critical Department of the Treasury information and information systems\n   in the event of a disaster.\n\n   We recommend that DO management:\n\n       24. Include the corrective action plans from the selected system\xe2\x80\x99s continuous monitoring report\n           into a POA&M item.\n\n   Based on the planned corrective actions for FMS, we are not making a recommendation.\n\n8. Backup controls were not in place or were not operating as designed at BPD and CDFI\n   Fund\n\n   We identified insufficient implementation of backup controls at BPD and CDFI Fund. Specifically,\n   we noted the following:\n\n       \xe2\x80\xa2 BPD management could not provide sufficient supporting documentation evidencing that the\n         backup jobs were run successfully. As a result, we were unable to test the operating\n         effectiveness of the controls over backups. The weekly backup logs did not specify whether\n         the selected backup jobs were successful or had failed. BPD stated that the system was not\n         configured to include the backup status on the logs. (See Recommendation #25.)\n       \xe2\x80\xa2 Backups of CDFI Fund data for the selected system were not being performed on a regular\n         basis. Upon inspection of all successful backups between December 2011 and April 2012, it\n         was noted that backups of data were occurring, but the frequency ranged from two to seven\n         times a month. This did not comply with the SSP, which indicated that daily incremental\n         backups and a weekly full backups occur. CDFI Fund stated that TTB took over the backup\n         responsibilities in May 2012, and, as a result of the upcoming transition, evidence for\n         successful backups was not maintained. (See Recommendation #26.)\n\n   Department of the Treasury guidance requires its bureaus to protect their information systems in the\n   event of a disaster. Bureaus must plan for system recovery, test these plans, and store redundant data\n   to assist in such a system recovery. Two Department of the Treasury bureaus did not fully implement\n   backup controls as required by TD P 85-01 Volume I, and NIST SP 800-53, Rev. 3, guidance. While\n   these controls do not affect normal, daily operations, they are invaluable in quickly recovering from a\n   disaster or service interruption. Lack of frequent, successful backups can have a significant negative\n   effect on Department of the Treasury information systems if a disaster (i.e., hard-drive failure, natural\n   disaster, and national emergency) were to occur. Data can be lost and successful system restoration\n   thwarted if backup are not available.\n\n\n\n\n                                                                                                   Page 19\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n  We recommend that BPD management:\n\n       25. Enhance the logging capability of the system\xe2\x80\x99s backup process so management can determine\n           whether the backups were successfully completed.\n\n   We recommend that CDFI Fund management:\n\n       26. Ensure that the system backups are completed successfully per the defined frequency in the\n           SSP, and retain evidence of successful completion for one year.\n\n9. System configuration settings were not implemented properly at DO and OCC\n\n   TD P 85-01, Volume I, requires its bureaus to implement restrictive configuration settings levels and\n   to detect and track unauthorized changes to the information system. This is to protect information\n   integrity and confidentiality. By not adequately implementing restrictive system configuration\n   settings, DO and OCC reduce their ability to protect against malicious attacks. We noted the\n   following:\n\n      \xe2\x80\xa2    A selected DO system lacked sufficient mechanisms to track and detect unauthorized changes.\n           DO management self-identified these weaknesses during a continuous monitoring assessment\n           in June 2012. While there was a documented corrective action plan in the continuous\n           monitoring report, there was not an updated POA&M item during the FISMA year. (See\n           Recommendation #27.)\n      \xe2\x80\xa2    For both selected OCC systems, OCC management identified configuration settings were not\n           set to the most restrictive settings possible. Both systems had multiple weaknesses identified\n           in configuration settings that did not meet the require threshold for restrictive settings as stated\n           by NIST. This was a self-reported finding and documented within OCC\xe2\x80\x99s POA&M report on\n           TAF. The POA&M item is scheduled to be completed on December 31, 2013.\n\n   We recommend that DO management:\n\n       27. Include the corrective action plans from the selected system\xe2\x80\x99s continuous monitoring report\n           into a POA&M item.\n\n   Based upon the planned correction actions for OCC, we are not making a recommendation.\n\n10. System baselines were not documented properly at BPD, FMS, and FinCEN\n\n   TD P 85-01, Volume I, requires that Treasury bureaus document configuration baselines. TD P 85-\n   01, Volume I, uses The Federal Enterprise Architecture Framework, Version 1.1, as guidance to\n   federal bureaus on how to establish enterprise architecture over IT systems. These mechanisms are in\n   place to establish security standards for information systems to protect from threats and\n   vulnerabilities. By not adequately documenting and implementing system baselines, BPD, FMS, and\n   FinCEN increase the risk of vulnerabilities being exposed on the system. We noted the following:\n\n       \xe2\x80\xa2   Both selected BPD systems did not have baseline configurations formally documented. BPD\n           management was aware of the lack of this documentation for both systems; however,\n           management had planned to rely on system backups to restore system information in case of a\n           disaster event. (See Recommendation #28.)\n\n\n\n\n                                                                                                      Page 20\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n       \xe2\x80\xa2   A selected FMS system lacked sufficient system baseline documentation. Specifically, the\n           baseline documentation did not establish operational requirements. Moreover, documentation\n           of the following elements did not exist: mandatory configuration settings for the information\n           system components to reflect the most restrictive mode; list of authorized and unauthorized\n           programs; and mechanisms to verify configuration settings and respond to unauthorized\n           changes. The selected system Configuration Management Plan did not provide a clear\n           distinction between program change control and system configuration management processes\n           identified in the FMS Entity-Wide IT Standards. The lack of clarity and baseline features\n           within the selected system Configuration Management Plan was overlooked by FMS\n           management when establishing the plan. (See Recommendations #29, #30, and #31.)\n       \xe2\x80\xa2   KPMG confirmed that, for a selected FinCEN system, FinCEN management identified the\n           baseline settings were outdated. This was a self-reported finding and documented within\n           FinCEN\xe2\x80\x99s POA&M report on TAF. The POA&M item is scheduled to be completed on\n           January 14, 2013.\n\n  We recommend that BPD management:\n\n       28. For both selected systems, develop baseline configurations (application build guides) that are\n           consistent with the system\xe2\x80\x99s SSP and Federal Enterprise Architecture.\n\n  We recommend that FMS management:\n\n       29. Clarify the distinction between program change control and system configuration\n           management within the FMS Entity-Wide IT Standards and the selected system\n           Configuration Management Plan by documenting and considering correcting gaps in the\n           current process and work flow to clearly outline work flow, tasks, and management oversight.\n\n       30. Update the selected system Configuration Management Plan to establish operational\n           requirements and document the following elements: mandatory security relevant\n           configuration settings, description of the controls to address unauthorized security relevant\n           changes to the configuration of the system, and a list of authorized/unauthorized changes.\n\n       31. Document a secure baseline and mandatory configuration settings for the information system\n           components in the selected system Configuration Management Plan to reflect the most\n           restrictive mode in support of the security controls for the system.\n\n   Based upon the planned correction actions for FinCEN, we are not making a recommendation.\n\n11. Multifactor authentication was not implemented at FMS\n\n   NIST SP 800-53, Rev. 3, guidance requires systems to implement multifactor authentication to local\n   and network access to privileged and nonprivileged accounts. Multifactor authentication provides an\n   additional level of security for accounts to prevent unauthorized access within the IT infrastructure.\n   KPMG confirmed that, for the selected FMS system, FMS management identified it did not\n   implement multifactor authentication for any level of access to the system. This was a self-reported\n   finding and documented within FMS\xe2\x80\x99s POA&M report on TAF. The POA&M item is scheduled to be\n   completed on December 31, 2012.\n\n   Based on FMS\xe2\x80\x99s planned corrective actions, we are not making a recommendation.\n\n\n\n\n                                                                                                 Page 21\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\nMANAGEMENT RESPONSE TO THE REPORT\n\nThe following is the OCIO\xe2\x80\x99s response, dated October 12, 2012, to the FY 2012 FISMA Performance\nAudit Report.\n\n\n\n\n                                                                                      Page 22\n\x0c                                    October 12, 2012\n\nMEMORANDUM FOR JOEL GROVER\n               DEPUTY ASSISTANT INSPECTOR GENERAL\n               FOR FINANCIAL MANAGEMENT AND\n               INFORMATION TECHNOLOGY AUDIT\n\nFROM:                     Robyn East /s/\n                          Deputy Assistant Secretary for Information Systems\n                          and Chief Information Officer (CIO)\n\nSUBJECT:                  Management Response to Draft Audit Report \xe2\x80\x93 \xe2\x80\x9cFY 2012\n                          Audit of Treasury\xe2\x80\x99s Federal Information Security Management\n                          Act (FISMA) Implementation for Its Unclassified Systems\xe2\x80\x9d\n\nThank you for the opportunity to comment on the draft audit report entitled, \xe2\x80\x9cFY 2012\nAudit of Treasury\xe2\x80\x99s Federal Information Security Management Act (FISMA)\nImplementation for Its Unclassified Systems.\xe2\x80\x9d We are pleased that the report found that\nour security program is generally consistent with FISMA legislation, OMB information\nsecurity requirements and related information security standards published by the\nNational Institute of Standards and Technology. We have carefully reviewed the draft\nand agree with all findings and recommendations. Please refer to the attachment for\nfurther details on our planned corrective actions. We appreciate your noting that some of\nthe findings were actually items identified by Bureaus through their security programs.\n\nThe Department remains committed to improving its security program. We have made\nnotable progress over the past year. For example we closed all but six of the forty-three\nrecommendations from last year\xe2\x80\x99s FISMA audit. Also, as the Department continues to\ntransition to OMB\xe2\x80\x99s eventual goal of \xe2\x80\x9creal-time\xe2\x80\x9d reporting capability, we have\naccomplished a number of achievements, to include:\n\n   \xe2\x80\xa2   Initiated, and continue to expand the Treasury Continuous Monitoring and\n       Automation (CMA) Program. When fully implemented, CMA will provide a\n       centralized Departmental means for the automated collection, correlation, and\n       analysis of data regarding the IT security posture across Treasury.\n\n   \xe2\x80\xa2   Re-aligned and updated the Department\xe2\x80\x99s core cybersecurity policies to be\n       consistent with the latest federal policies and guidelines to protect our information\n       systems from potential adversaries and other threats.\n\n   \xe2\x80\xa2   Received DHS and OMB approval for three new Trusted Internet Connections\n       (TICs) at the IRS and deployed DHS Einstein security sensors at each of these\n       sites. This resulted in an increase of the Department\xe2\x80\x99s overall Internet traffic\n       traversing an approved TIC from 4% to over 95%. Information collected via\n\x0c          these sensors is used by DHS to detect and correlate potential cyber security\n          threats throughout the federal government.\n\n      \xe2\x80\xa2   Increased the level of compliance with the OMB policy requirement for Domain\n          Name System Security Extensions (DNSSEC) from 14% in FY 2011 to 65% in\n          FY 2012. This is important to reduce the ability of others to impersonate\n          Treasury websites. This mandate is monitored weekly.\n\n      \xe2\x80\xa2   Addressed a key OMB goal of enhancing automated security data feeds from\n          bureaus to the OMB secure data site. This was raised from 15% in FY 2011 to\n          over 83% in FY 2012. These automated feeds provide both OMB and DHS the\n          ability to conduct continuous monitoring of asset, vulnerability and security\n          configuration management across the government.\n\nWe appreciate the audit recommendations because they will help improve our security\nposture. If you have any questions, please contact Edward Roback, Associate CIO for\nCyber Security, at 202-622-2593.\n\nAttachment\n\ncc:       Edward A. Roback\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n\n                 Management Response to the Office of the Inspector General (OIG)\n                                      Recommendations\n\n\n(U) OIG Finding 1: Logical account management activities were not in place or were not\nconsistently performed by the bureaus at BPD, TTB, DO, OCC and FinCEN\n\n(U) OIG Recommendation 1: For Bureau of the Public Debt (BPD), we recommend that management:\nFor both selected systems, develop or acquire additional system capability that generates user lists with\nlast log-on dates so that inactive are automatically disabled in a timely manner.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. BPD will\n        develop or acquire additional system capability that generates user lists with last logon dates so\n        that inactive users are automatically disabled in a timely manner. Target completion: June 30,\n        2013\n\n        (U) Responsible Official: Bureau of Fiscal Service (BFS), Acting Chief Information Security\n        Officer (CISO)\n\n(U) OIG Recommendation 2: For BPD, we recommend that management: For both selected systems,\nin the absence of a long-term system capability solution, perform manual monthly reviews of all system\nuser accounts and disable or delete accounts that no longer need access.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. In the absence\n        of a long term system capability solution, BPD will perform manual monthly reviews of all user\n        accounts for both selected systems, and disable or delete accounts that no longer need access.\n        Target completion: June 30, 2013\n\n        (U) Responsible Official: BFS, Acting CISO\n\n(U) OIG Recommendation 3: For Alcohol and Tobacco Tax Bureau (TTB), we recommend that\nmanagement: Implement an automated mechanism, a script, or manual review process to ensure inactive\naccounts are disabled after 60 days of inactivity.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. All three noted\n        accounts have been deleted. Based on the findings and recommendations, TTB has already\n        implemented a mechanism to examine and disable inactive accounts. An automated script has\n        been deployed that examines Active Directory accounts and checks various attributes to\n        determine if any of the accounts have been inactive for over 60 days and the password has not\n        been changed in 90 days. If the script finds an account that meets this criterion, the script\n        disables the user account and creates a log fine for system Administration review and action.\n        Completed: August 6, 2012\n\n        (U) Responsible Official: TTB, Assistant Chief Information Officer (ACIO) for Information\n        Technology (IT) Security, Chief Information Security Office/Information System Security\n        Officer (CISO/ISSO)\n\n(U) OIG Recommendation 4: For TTB, we recommend that management: Ensure that supervisors are\naware of their responsibilities to remove the access of separated employees.\n\n\n\n                                                                                                    Page 25\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. TTB has sent\n        out written communications to all supervisors stressing the need to follow the Automated\n        Information System (AIS) Security Program Procedures and to submit timely e7200 user removal\n        requests. Completed: August 20, 2012\n\n        (U) Responsible Official: TTB, ACIO for IT CISO/ISSO\n\n(U) OIG Recommendation 5: For Departmental Offices (DO), we recommend that management:\nInclude the corrective action plans from the selected system\xe2\x80\x99s continuous monitoring report into a\nPOA&M [Plan of Action and Milestones] item.\n\n        (U) Treasury Response: The corrective action plans from the selected DO system continuous\n        monitoring report has been created in Trusted Agent FISMA as a POA&M item.\n        Completed: August 15, 2012\n\n        (U) Responsible Official: DO, ISSO for the appropriate system.\n\n(U) OIG: Based on the planned corrective actions for OCC [Office of the Comptroller of the Currency]\nand FinCEN [Financial Crimes Enforcement Network], we are not making additional recommendations.\n\n\n(U) OIG Finding 2: Security incidents were not reported in a timely manner at BEP, BPD, and\nFinCEN\n\n(U) OIG Recommendation 6: For Bureau of Engraving and Printing (BEP), we recommend that\nmanagement: Revise the current Incident Response reporting process and written procedures to have the\nhelpdesk send all incidents to the CSIRC [Computer Security Incident Response Center] group as\nopposed to the BEP Incident Coordinator.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. BEP will work\n        with Treasury to evaluate and modify as necessary its incident response reporting process and\n        procedures to meet the objective of the recommendation. Additionally, Treasury will review its\n        Department-wide incident response reporting policy, and, if appropriate, coordinate with other\n        agencies with Federal-wide policy setting authority on the lack of identifiable utility of the "one-\n        hour rule" for reporting of fully encrypted devices." Target completion: February 1, 2013\n\n        (U) Responsible Official: BEP CIO, BEP CISO, and Treasury CISO\n\n(U) OIG Recommendation 7: For BEP, we recommend that management: Provide additional training\nto the Help Desk team members regarding BEP\xe2\x80\x99s incident response policies and procedures to ensure they\nare consistently implemented. Additional training for Help Desk personnel should include the same\ncurriculum used by BEP CSIRC management team members to allow for better understanding of the\nincident reporting process.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. BEP will\n        ensure that all its incident response team members (i.e., Help Desk) receive training\n        commensurate with their duties and responsibilities. Target completion: January 31, 2013\n\n        (U) Responsible Official: BEP, CIO and BEP CISO\n\n\n\n\n                                                                                                    Page 26\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n(U) OIG Recommendation 8: For BPD, we recommend that management: Ensure that BPD\xe2\x80\x99s CSIRC\nreport all CAT 1 incidents to US-CERT [United State Computer Emergency Readiness Team] within the\none (1) hour regardless of any additional procedures (follow up, confirmation or additional feedback from\nthird party) performed by CSIRC personnel.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. Procedures\n        defining CAT I reporting responsibilities are defined in Public Debt\xe2\x80\x99s CSIRC Manual.\n        Completed: October 3, 2012\n\n        (U) Responsible Official: BFS Acting CISO\n\n(U) OIG Recommendation 9: For BPD, we recommend that management: Provide additional training\nto the BPD\xe2\x80\x99s CSIRC management team regarding BPD\xe2\x80\x99s incident response policies and procedures to\nensure that all incidents are reported in time regardless of reliance on third parties to confirm incident.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. BPD has\n        clarified any perceived ambiguity that existed with regard to reporting CAT I incidents with all\n        applicable employees. Completed: October 3, 2012\n\n        (U) Responsible Official: BFS, Acting CISO\n\n(U) OIG Recommendation 10: For FinCEN, we recommend that management: Evaluate its current\nCSIRC capability for collecting and submitting incident responses and implement back-up CSIRC\npersonnel to ensure that incident response tickets are handled in a timely fashion.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. FinCEN\xe2\x80\x99s will\n        incorporate an active acknowledgement process via FinCEN CSIRC upon receipt of a security\n        incident and will assign a backup point of contact to ensure that incidents are handled timely.\n        Target completion: December 31, 2012.\n\n        (U) Responsible Official: FINCEN, CISO\n\n\n(U) OIG Finding 3: System security plans at OCC and FMS did not fully document all security\ncontrols from NIST SP 800-53, Rev. 3, and one SSP [system security plans] for FinCEN was not\nupdated to address weaknesses identified in the security assessments\n\n(U) OIG Recommendation 11: For OCC, we recommend that management: For both selected systems,\nupdate the SSP to address and reference all the NIST SP 800-53, Revision 3 security controls and control\nenhancements for a Moderate baseline.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. OCC has\n        completed updates to the SSPs reviewed by the auditors, verifying that both reference all NIST\n        800-53, Revision 3 security controls and control enhancements for a Moderate baseline system.\n        Completed: August 23, 2012\n\n        (U) Responsible Official: OCC, CISO/Chief Privacy Officer (CPO)\n\n(U) OIG Recommendation 12: For OCC, we recommend that management: For both selected systems,\nensure management conducts an adequate review of the SSPs [System Security Plan] to ensure that it\n\n\n\n                                                                                                    Page 27\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\nincludes applicable [National Institute of Standards and Technology Special Publication] NIST SP 800-\n53, Revision 3 controls.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. OCC is\n        currently in the process of refining its Security Assessment and Authorization (SA&A) document\n        review process to ensure adequate reviews are performed. Target completion: December 16,\n        2012\n\n        (U) Responsible Official: OCC, CISO/CPO\n\n(U) OIG Recommendation 13: For Financial Management Service (FMS), we recommend that\nmanagement: Update the selected system\xe2\x80\x99s SSP to reflect the current and primary source of backups for\nthe application.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. FMS will\n        update the SSP to reflect the current and primary source of backups for the application. Target\n        completion:\n        June 30, 2013\n\n        (U) Responsible Official: BFS, Acting CISO\n\n(U) OIG: Based on the planned corrective actions for FinCEN, we are not making a recommendation.\n\n\n(U) OIG Finding 4: Audit logs were not sufficiently reviewed by FMS and DO in accordance with\nNIST and Department of the Treasury requirements\n\n(U) OIG Recommendation 14: For FMS, we recommend that management: Enhance the selected\nsystem audit capabilities to capture security-related events as prescribed by the [Baseline Services\nRequirements] BLSR and NIST SP 800-53 guidance.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. FMS will\n        implement the UNIX baseline on the SPS boxes to include auditing capabilities. Target\n        completion: May 31, 2013\n\n        (U) Responsible Official: BFS, Acting CISO\n\n(U) OIG Recommendation 15: For FMS, we recommend that management: Establish a clear oversight\nprocess to review the security-related events and ensure appropriate follow-up action is taken as\nprescribed by the BLSR and NIST SP 800-53.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. FMS will\n        establish a clear oversight process to review the security-related events and ensure appropriate\n        follow-up action is taken. Target completion: May 31, 2013\n\n        (U) Responsible Official: BFS, Acting CISO\n\n(U) OIG Recommendation 16: For FMS, we recommend that management: Update the selected\nsystem\xe2\x80\x99s system security plan to document security-related events that need to be monitored as prescribed\nby the BLSR.\n\n\n\n                                                                                                   Page 28\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n       (U) Treasury Response: Treasury agrees with the finding and recommendation. FMS will\n       update the selected system\xe2\x80\x99s security plan to document security-related events that need to be\n       monitored. Target completion: June 15, 2013\n\n       (U) Responsible Official: BFS, Acting CISO\n\n(U) OIG Recommendation 17: For DO, we recommend that management: Include the corrective action\nplans from the selected system\xe2\x80\x99s continuous monitoring report into a POA&M item.\n\n       (U) Treasury Response: Treasury agrees with the finding and recommendation. The corrective\n       action plans from the selected DO system continuous monitoring report has been created in\n       Trusted Agent FISMA as a POA&M item. Completed: August 15, 2012\n\n       (U) Responsible Official: DO, ISSO for the selected system\n\n\n(U) OIG Finding 5: Plans of Action and Milestones (POA&Ms) were not tracked in accordance\nwith NIST and Department of the Treasury requirements at DO\n\n(U) OIG Recommendation 18: For DO, we recommend that management: Update the selected system\nPOA&M with the findings and recommendations reported in the system continuous monitoring test\nreport.\n\n       (U) Treasury Response: Treasury agrees with the finding and recommendation. Departmental\n       Offices respective ISSOs has updated the selected system POA&M in Trusted Agent FISMA\n       with the findings and recommendations reported in the system continuous monitoring test report.\n       Completed: August 15, 2012\n\n       (U) Responsible Official: DO, ISSO for the selected system\n\n(U) OIG Recommendation 19: For DO, we recommend that management: Ensure the continuous\nmonitoring test results and recommendations are captured within the selected system POA&M within the\n30-day required period.\n\n       (U) Treasury Response: Treasury agrees with the finding and recommendation. Departmental\n       Offices respective ISSOs has updated the selected system POA&M in Trusted Agent FISMA\n       with the findings and recommendations reported in the system continuous monitoring test report.\n       Completed: August 15, 2012\n\n       (U) Responsible Official: DO, ISSO for the selected system\n\n\n(U) OIG Finding 6: Vulnerability scanning and remediation was not performed in accordance with\nDepartment of the Treasury requirements at FMS, Mint, DO, BPD, and OCC\n\n(U) OIG Recommendation 20: For FMS, we recommend that management: Formally document the\nvulnerability scanning and flaw remediation processes for the Fiscal Services organization and\ncommunicate the processes to affected field-personnel.\n\n\n\n\n                                                                                                 Page 29\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. FMS will\n        develop and implement an enterprise procedure for vulnerability scanning & remediation. Target\n        completion:\n        June 30, 2013\n\n        (U) Responsible Official: BFS, Acting CISO\n\n(U) OIG Recommendation 21: For FMS, we recommend that management: Maintain a complete\nlisting of hosts and IP addresses for the selected FMS system production environment and document any\nchanges to this listing, and retain enough supporting documentation to confirm the accuracy of completed\nvulnerability scans.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. FMS will\n        ensure that all infrastructure Configuration Items (as defined by Service Asset and Configuration\n        Management Standard) include their FISMA system association as a required element of their\n        CMDB entry. Target completion: May 1, 2013\n\n        (U) Responsible Official: BFS, Acting CISO\n\n(U) OIG Recommendation 22: For Mint, we recommend that management: Follow their vulnerability\nremediation policy for all vulnerabilities, including older, noncritical patches, to ensure that\nvulnerabilities are not missed in the remediation process.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. Mint will\n        institute a new patch remediation procedure that gives patch criticality, instance count, and patch\n        publish date equal weight in the remediation tracking process. This will ensure that all patches\n        are addressed in a timely manner regardless of the instance count in the environment. Target\n        completion: November 30, 2012\n\n        (U) Responsible Official: Mint, CISO\n\n(U) OIG Recommendation 23: For DO, we recommend that management: Include the corrective action\nplans from the selected system\xe2\x80\x99s continuous monitoring report into a POA&M item.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. The corrective\n        action plans from the selected DO system continuous monitoring report has been created in\n        Trusted Agent FISMA as a POA&M item. Completed: August 15, 2012\n\n        (U) Responsible Official: DO, ISSO for the selected system\n\n(U) OIG: Based upon the planned correction actions for BPD and OCC, we are not making a\nrecommendation.\n\n\n(U) OIG Finding 7: Contingency planning & testing controls were not fully implemented or\noperating as designed at DO and FMS\n\n(U) OIG Recommendation 24: For DO, we recommend that management: Include the corrective action\nplans from the selected system\xe2\x80\x99s continuous monitoring report into a POA&M item.\n\n\n\n\n                                                                                                    Page 30\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n       (U) Treasury Response: Treasury agrees with the finding and recommendation. The corrective\n       action plans from the selected DO system continuous monitoring report has been created in\n       Trusted Agent FISMA as a POA&M item. Completed: August 15, 2012\n\n       (U) Responsible Official: DO, ISSO for the selected system\n\n(U) OIG: Based on the planned corrective actions for FMS, we are not making a recommendation.\n\n(U) OIG Finding 8: Backup controls were not in place or were not operating as designed at BPD\nand CDFI Fund\n\n(U) OIG Recommendation 25: For BPD, we recommend that management: Enhance the logging\ncapability of the system\xe2\x80\x99s backup process so management can determine whether the backups were\nsuccessfully completed.\n\n       (U) Treasury Response: Treasury agrees with the finding and recommendation. BPD will\n       provide detailed logs of selected system\xe2\x80\x99s backups and a legend of the current backup logs, which\n       show the volume sets being backed up. Target completion: April 30, 2013\n\n       (U) Responsible Official: BFS, Acting CISO\n\n(U) OIG Recommendation 26: For Community Development Financial Institution (CDFI) Fund, we\nrecommend that management: Ensure that the system backups are completed successfully per the defined\nfrequency in the SSP, and retain evidence of successful completion for one year.\n\n       (U) Treasury Response: Treasury agrees with the finding and recommendation. The CDFI\n       Fund will ensure that backups are performed successfully per the defined frequency in the SSP,\n       and that TTB retains evidence of successful completion for one year. Target completion:\n       October 31, 2012\n\n       (U) Responsible Official: CDFI, CIO\n\n\n(U) OIG Finding 9: System configuration settings were not implemented properly at DO and OCC\n\n(U) OIG Recommendation 27: For DO, we recommend that management: Include the corrective action\nplans from the selected system\xe2\x80\x99s continuous monitoring report into a POA&M item.\n\n       (U) Treasury Response: Treasury agrees with the finding and recommendation. The corrective\n       action plans from the selected DO system continuous monitoring report has been created in\n       Trusted Agent FISMA as a POA&M item. Completed: August 15, 2012\n\n       (U) Responsible Official: DO, ISSO for the selected system\n\n(U) OIG: Based upon the planned correction actions for OCC, we are not making a recommendation.\n\n\n(U) OIG Finding 10: System baselines were not documented properly at BPD, FMS, and FinCEN\n\n\n\n\n                                                                                                Page 31\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n(U) OIG Recommendation 28: For BPD, we recommend that management: For both selected systems,\ndevelop baseline configurations (applications build guides) that are consistent with the system\xe2\x80\x99s SSP and\nFederal Enterprise Architecture.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. BPD will\n        leverage existing Configuration Management data to ensure all Configuration Items (CIs)\n        necessary to deliver the system are identified. This will include: infrastructure, applications, and\n        supporting services; ensure relationships and dependencies among the identified CIs are\n        documented within the Configuration Management Data Base (CMDB); ensure build guides\n        ("baselines") exist, where appropriate, for all identified CIs; and, ensure a system-level build\n        guide exists, including CI build guides by reference as appropriate. Target completion: June 30,\n        2013\n\n        (U) Responsible Official: BFS, Acting CISO\n\n(U) OIG Recommendation 29: For FMS, we recommend that management: Clarify the distinction\nbetween program change control and system configuration management within the FMS Entity-Wide IT\nStandards and the selected system Configuration Management Plan by documenting and considering\ncorrecting gaps in the current process and work flow to clearly outline work flow, tasks, and management\noversight.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. Due to the\n        fiscal service consolidation, FMS Entity-Wide IT Standards are now obsolete. However, the\n        Fiscal Service will review documentation defining work flow for change control and\n        configuration management, and, if deemed necessary, revise documentation to further clarify\n        workflow, tasks, and management oversight for these two processes. Target completion: March\n        31, 2013\n\n        (U) Responsible Official: BFS, Acting CISO\n\n(U) OIG Recommendation 30: For FMS, we recommend that management: Update the selected system\nConfiguration Management Plan to establish operational requirements and document the following\nelements: mandatory security relevant configuration settings, description of the controls to address\nunauthorized security relevant changes to the configuration of the system, and a list of\nauthorized/unauthorized changes.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. FMS will\n        review documentation defining work flow for change control and configuration management,\n        and, if deemed necessary, revise documentation to further clarify workflow, tasks, and\n        management oversight for these two processes. Target completion: March 31, 2013\n\n        (U) Responsible Official: BFS, Acting CISO\n\n(U) OIG Recommendation 31: For FMS, we recommend that management: Document a secure\nbaseline and mandatory configuration settings for the information system components in the selected\nsystem Configuration Management Plan to reflect the most restrictive mode in support of the security\ncontrols for the system.\n\n        (U) Treasury Response: Treasury agrees with the finding and recommendation. FMS will\n        review documentation defining work flow for change control and configuration management,\n\n\n\n                                                                                                     Page 32\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2012\n       and, if deemed necessary, revise documentation to further clarify workflow, tasks, and\n       management oversight for these two processes. Target completion: March 31, 2013\n\n       (U) Responsible Official: BFS, Acting CISO\n\n(U) OIG: Based upon the planned correction actions for FinCEN, we are not making a recommendation.\n\n\n(U) OIG Finding 11: Multifactor authentication was not implemented at FMS\n\n(U) OIG: Based on FMS\xe2\x80\x99 planned corrective actions, we are not making a recommendation.\n\n\n\n\n                                                                                                Page 33\n\x0cObjective, Scope, and Methodology                                                               Appendix I\nAPPENDIX I \xe2\x80\x93 OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective for this performance audit was to determine the effectiveness of the Department of the\nTreasury\xe2\x80\x99s information security programs and practices for the period July 1, 2011 to June 30, 2012 for its\nunclassified systems, including and to determine whether non-Internal Revenue Service (IRS) Treasury\nbureaus had implemented:\n\n       \xe2\x80\xa2   An information security program, consisting of policies, procedures, and security controls\n           consistent with the Federal Information Security Management Act (FISMA) legislation.\n       \xe2\x80\xa2   The security controls catalog contained in National Institute of Standards and Technology (NIST)\n           Special Publication (SP) 800-53, Revision (Rev.) 3, Recommended Security Controls for Federal\n           Information Systems and Organizations.\n\nWe conducted this performance audit in accordance with generally accepted government auditing\nstandards (GAGAS).Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjective.\n\nTo accomplish our objectives, we evaluated security controls in accordance with applicable legislation,\nPresidential directives, Department of Homeland Security (DHS) FY 2012 Inspector General Federal\nInformation Security Management Act Reporting Metrics, dated March 6, 2012, and NIST standards and\nguidelines as outlined in the Criteria section. We reviewed the Department of the Treasury information\nsecurity program from both the Department-level perspective for Department of the Treasury program-\nlevel controls and the Bureau-level implementation perspective. We considered each area above to reach\nan overall conclusion regarding Department of the Treasury\xe2\x80\x99s information security program and practices.\n\nWe took a phased approach to satisfy the audit\xe2\x80\x99s objective as listed below:\n\n       PHASE A: Assessment of Department-Level Compliance\n\n       To gain an enterprise-level understanding, we assessed management, policies, and guidance for the\n       overall Treasury-wide information security program per requirements defined in FISMA and DHS\n       Federal Information Security Memorandum (FISM) 12-02, FY 2012 Reporting Instructions for the\n       Federal Information Security Management Act and Agency Privacy Management; NIST SP 800-53,\n       Rev. 3; as well as Department of the Treasury guidelines developed in response to FISMA. This\n       included program controls applicable to information security governance, certification and\n       accreditation, security configuration management (CM), incident response and reporting, security\n       training, plan of action and milestones (POA&M), remote access, account and identity management,\n       continuous monitoring, contingency planning, and contractor systems.\n\n       PHASE B: Assessment of Bureau-Level Compliance\n\n       To gain a bureau-level understanding, we assessed the implementation of the guidance for the 122\n       bureau and office wide information security programs according to requirements defined in FISMA\n       and DHS FISM 12-02, NIST SP 800-53, Rev. 3, as well as Department of the Treasury guidelines\n       developed in response to FISMA. This included program controls applicable to information security\n       governance, certification and accreditation (C&A), security configuration management, incident\n       response and reporting, security training, POA&M, remote access, account and identity management,\n       continuous monitoring, contingency planning, and contractor systems.\n\n2\n    TIGTA assessed IRS\xe2\x80\x99s bureau-level compliance.\n\n\n                                                                                                   Page 34\n\x0cObjective, Scope, and Methodology                                                                               Appendix I\n\n    PHASE C: Assessment of the Implementation of Select Security Controls from the NIST SP\n    800-53 Rev. 3\n\n    To gain an understanding of how effectively the bureaus implemented information security controls at\n    the system level, we assessed the implementation of a selection of security controls from the NIST SP\n    800-53, Rev. 3, for a subset of Department of the Treasury information systems (see Appendix V).\n\n    Our scope included evaluating the information security practices and policies established by the\n    Treasury Office of the Chief Information Officer (OCIO). In addition, we evaluated the information\n    security practices, policies, and procedures in use across 12 bureaus of the Treasury, excluding the\n    IRS.\n\nWe also tested a subset of 15 information systems from a total population of 118 non-IRS major\napplications and general support systems as of April 3, 2012. 3 We tested the 15 information systems to\ndetermine whether bureaus were effective in implementing the Department of the Treasury\xe2\x80\x99s security\nprogram and meeting the Federal Information Processing Standards (FIPS) 200 minimum-security\nstandards to protect information and information systems. Appendix IV, Approach to Selection of Subset\nof Systems, provides additional details regarding our system selection. The subset of systems\nencompassed systems managed and operated by 10 of 13 Treasury bureaus, excluding IRS, Treasury\nInspector General for Tax Administration (TIGTA), and Office of Inspector General (OIG). 4\n\nOur criteria for selecting security controls within each system were based on the following:\n\n    \xe2\x80\xa2    Controls that were shared across a number of information systems, such as common controls,\n    \xe2\x80\xa2    Controls that were likely to change over time (i.e., volatility) and require human intervention, and\n    \xe2\x80\xa2    Controls that were identified in prior audits as requiring management\xe2\x80\x99s attention.\n\nOther Considerations\n\nIn performing our control evaluations, we interviewed key Treasury OCIO personnel who had significant\ninformation security responsibilities, as well as personnel across the non-IRS bureaus. We also evaluated\nthe Department of the Treasury\xe2\x80\x99s and bureaus\xe2\x80\x99 policies, procedures, and guidelines. Lastly, we evaluated\nselected security-related documents and records, including C&A packages, configuration assessment\nresults, and training records.\n\nWe performed our fieldwork at the Department of the Treasury\xe2\x80\x99s headquarters offices in Washington,\nD.C., and bureau locations in Washington, D.C.; Hyattsville, Maryland; Vienna, Virginia; and\nParkersburg, West Virginia, during the period of April 12, 2012 through July 31, 2012. During our\nperformance audit, we met with Department of the Treasury management to discuss our preliminary\nconclusions.\n\nCriteria\nWe focused our FISMA performance audit approach on federal information security guidance developed\nby NIST and Office of Management and Budget (OMB). NIST Special Publications provide guidelines\n3\n   A subset of information systems refers to our approach of stratifying the population of non-IRS Department of the Treasury\n  information system and selecting an information system from each Department of the Treasury bureau, excluding IRS, TIGTA,\n  and OIG, rather than selecting a random sample of information systems that might exclude a Treasury bureau.\n4\n   Our rotational system selection strategy precludes selecting systems reviewed within the past two years. In FY 2011, TIGTA\n  was selected, and the OIG was selected in FY 2010. Therefore, each of those bureau\xe2\x80\x99s systems were exempt from being\n  reviewed in FY 2012.\n\n\n                                                                                                                   Page 35\n\x0cObjective, Scope, and Methodology                                                                                     Appendix I\nthat are considered essential to the development and implementation of agencies\xe2\x80\x99 security programs. 5 The\nfollowing is a listing of the criteria used in the performance of the fiscal year (FY) 2012 FISMA\nperformance audit:\n\n\xe2\x80\xa2     OMB Circular A-130, Management of Federal Information Resources\n\n\xe2\x80\xa2     NIST FIPS Publication 199, Standards for Security Categorization of Federal Information and\n      Information Systems\n\n\xe2\x80\xa2     NIST FIPS Publication 200, Minimum Security Requirements for Federal Information and\n      Information Systems\n\n\xe2\x80\xa2     NIST Special Publications:\n      o 800-16, Information Technology Security Training Requirements: A Role- and Performance-\n         Based Model\n      o 800-18, Rev. 1, Guide for Developing Security Plans for Federal Information Systems\n      o 800-30, Risk Management Guide for Information Technology Systems\n      o 800-34, Rev. 1, Contingency Planning Guide for Federal Information Systems\n      o 800-37, Rev. 1, Guide for Applying the Risk Management Framework to Federal Information\n         Systems: A Security Life Cycle Approach\n      o 800-39, Managing Risk from Information Systems: An Organizational, Mission and\n         Information System View\n      o 800-53, Rev. 3, Recommended Security Controls for Federal Information Systems and\n         Organizations\n      o 800-53A, Rev. 1, Guide for Assessing the Security Controls in Federal Information Systems and\n         Organizations, Building Effective Security Assessment Plans\n      o 800-60, Rev. 1, Guide for Mapping Types of Information and Information Systems to Security\n         Categories\n      o 800-61, Rev. 1, Computer Security Incident Handling Guide\n      o 800-70, Rev. 2, National Checklist Program for IT Products: Guidelines for Checklist Users and\n         Developers\n\n\xe2\x80\xa2     OMB Memoranda:\n      o 04-04, E-Authentication Guidance for Federal Agencies\n      o 04-25, FY 2004 Reporting Instructions for the Federal Information Security Management Act\n      o 07-11, Implementation of Commonly Accepted Security Configurations for Windows Operating\n        Systems\n      o 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable\n        Information\n      o 07-18, Ensuring New Acquisitions Include Common Security Configurations\n      o 08-22, Guidance on the Federal Desktop Core Configuration (FDCC)\n\n\xe2\x80\xa2     United States Department of Homeland Security:\n\n\n5\n    Note (per FY 2012 Inspector General Federal Information Security Management Act Reporting Metrics): While agencies are\n    required to follow NIST standards and guidance in accordance with OMB policy, there is flexibility within NIST\xe2\x80\x99s guidance\n    documents in how agencies apply the guidance. However, NIST Special Publication 800-53 is mandatory because FIPS 200\n    specifically requires it. Unless specified by additional implementing policy by OMB, guidance documents published by NIST\n    generally allow agencies latitude in their application. Consequently, the application of NIST guidance by agencies can result in\n    different security solutions that are equally acceptable and compliant with the guidance.\n\n\n                                                                                                                          Page 36\n\x0cObjective, Scope, and Methodology                                                       Appendix I\n    o   FISM 12-02, FY 2012 Reporting Instructions for the Federal Information Security Management\n        Act and Agency Privacy Management\n\n\xe2\x80\xa2   Treasury Guidance:\n    o TD P 85-01, Volume I, Treasury Information Technology Security Program\n\n\n\n\n                                                                                          Page 37\n\x0cStatus of Prior-year Findings                                                                                                                      Appendix II\nAPPENDIX II \xe2\x80\x93 STATUS OF PRIOR-YEAR FINDINGS\n\nFor the following prior year findings, we have evaluated the information systems to determine whether the recommendations have been\nimplemented and the finding is closed. We inquired of Treasury personnel and inspected evidence to determine the status of the findings. If\nrecommendations were determined to be implemented, we closed the findings. If recommendations were determined to be only partially\nimplemented or not implemented at all, we determined the finding to be open. For 3 of the 28 findings, we were unable to test the implementation\nof the findings in time by our end of fieldwork date, June 30, 2012. For these findings, we noted that they are closed but untested and should be\nevaluated as part of the FY 2013 independent evaluation.\n\n\n        Finding #                       Prior-Year Condition                        Recommendation(s)                                  Status\nFinding #1 \xe2\x80\x93 Office of     OCC did not have documented approvals to         We recommend that OCC                     Implemented/Closed.\nComptroller of Currency    grant all new bank examiners access to a         management document the process for\n(OCC)                      certain business application. OCC network        granting access to the newly hired        OCC updated policies and procedures to\n                           administrators explained that a former OCC       bank examiners, including the             cover process for granting access to newly\nLogical account            official gave verbal approval for all new bank   associated user roles and required        hired bank examiners.\nmanagement activities were examiners to access this business application    management approvals.\nnot fully documented or    an unknown-number of years ago. Thus,\nconsistently performed     sampled new users for the OCC system lacked\n                           evidence of management approval for the\n                           level of access granted to the system.\n\nFinding #1 \xe2\x80\x93 Office of     OTS management did not establish a process       We recommend that OCC, in its             Implemented/Closed.\nThrift Supervision (OTS)   to review system administrators and              capacity managing prior OTS\n                           application service accounts for continued       systems:                                  OCC decommissioned the OTS system.\nLogical account            appropriateness for a sampled OTS\nmanagement activities were application. Additionally, OTS did not           1   Add the review of system\nnot fully documented or    document in the System Security Plan (SSP)           administrator and application\nconsistently performed     or other application configuration document          service accounts for the sampled\n                           the required application service accounts for        system to the review of external\n                           the application to function properly, thus           user accounts.\n                           limiting OTS\xe2\x80\x99s ability to identify unnecessary   2   Document the purpose and use of\n                           service accounts.                                    application service accounts in the\n                                                                                SSP or other publication.\n\nFinding #1 \xe2\x80\x93 Treasury     TIGTA did not fully document account              Based on TIGTA\xe2\x80\x99s planned corrective Open.\nInspector General for Tax management activities (e.g., review               actions, we are not making a\nAdministration (TIGTA) frequency, inactivity limits, use of shared          recommendation.                     TIGTA has not finished completing its\n                          accounts) in their SSPs. TIGTA management                                             corrective action.\n\n\n                                                                                                                                                       Page 38\n\x0cStatus of Prior-year Findings                                                                                                                  Appendix II\n\n        Finding #                       Prior-Year Condition                       Recommendation(s)                                Status\nLogical account              was unaware of the lack of documentation\nmanagement activities were   until a 2010 security assessment was\nnot fully documented or      conducted. In response to the security\nconsistently performed       assessment, TIGTA established four\n                             corrective actions in the system\xe2\x80\x99s     POA&M\n                             with scheduled completion dates of October\n                             2011, April 2012, July 2012, and December\n                             2012. These security weaknesses continued to\n                             exist at the time of fiscal year (FY) 2011\n                             FISMA audit.\n\nFinding #1 \xe2\x80\x93               For a sampled DO system, new users were       We recommend that DO management:          Implemented/Closed.\nDepartmental Offices       granted access without formal authorization,\n(DO)                       and DO did not review existing users\xe2\x80\x99 access 1 Perform an annual review of end          DO has created policies and procedures\n                           for appropriateness concerning user              user accounts that addresses           over account approval and performs\nLogical account            privileges. DO officials did not have an         appropriateness of user access         annual review of user accounts to\nmanagement activities were effective process for authorizing new users      rights. As stated in the DO SSP,       determine access appropriateness.\nnot fully documented or    and were unaware that a periodic review of       the Information System Security\nconsistently performed     user access for continued appropriateness was    Officers (ISSOs) and/or the\n                           required.                                        system administrators of each\n                                                                            minor application should perform\n                                                                            this review.\n                                                                         2 Develop and implement a formal\n                                                                            account approval process. A\n                                                                            formal approval form should exist\n                                                                            for all system users, including\n                                                                            contractors. These forms should\n                                                                            be properly tracked and stored to\n                                                                            ensure that documentation is not\n                                                                            lost or deleted.\n\nFinding #1\xe2\x80\x93 Financial      For a sampled FMS payment management            We recommend that FMS                   Partially Implemented/Open.\nManagement Service         system, 12 user accounts out of 2,950           management:\n(FMS)                      inappropriately remained active following 90                                            We were informed that\n                           days of inactivity. Additionally, 920 user      1 Continue to monitor the               Recommendation 1 of the FY 2011\nLogical account            accounts out of 2,950 did not have a last login    automated solution to disable user   finding has been addressed. However, we\nmanagement activities were date recorded, suggesting these accounts may       accounts after 90 days of            noted that 268 active user accounts have\nnot fully documented or    never have been used by the account owner.         inactivity in order to confirm the   not logged in greater than 90 days since\n\n\n                                                                                                                                                   Page 39\n\x0cStatus of Prior-year Findings                                                                                                                            Appendix II\n\n        Finding #                         Prior-Year Condition                            Recommendation(s)                                  Status\nconsistently performed        We noted a similar finding in a FY 2010                 automated solution is working in the list was generated (March 20, 2012 or\n                              financial statement audit for the sampled               all cases.                          earlier).\n                              system, but FMS\xe2\x80\x99s corrective actions to        2        Perform a manual monthly review\n                              implement a fully automated solution to                 of all user accounts, and disable\n                              disable inactive accounts were not fully                or delete (as appropriate) accounts\n                              effective. FMS attributed the noted conditions          that have not logged into the\n                              to human error during the transition to an              system within the prior 90 days\n                              automated solution. Prior to and after the              until the manual, monthly review\n                              transition to a fully automated solution, FMS           demonstrates that the automated\n                              did not monitor if the automated solution was           solution is working for three\n                              working as intended.                                    consecutive months.\n\nFinding #2 \xe2\x80\x93 Community        The CDFI Fund did not report its single             We recommend that the CDFI Fund          Implemented/Closed.\nDevelopment Financial         security incident to Treasury Computer              management:\nInstitution (CDFI) Fund       Security Incident Response Capability                                                        CDFI has shifted the responsibility of their\n                              (TCSIRC) within the required one-hour time          1   Provide additional incident          incident response program to the Alcohol\nSecurity incidents were not   period for a Category 1 incident. Several               response training to increase        and Tobacco Tax and Trade Bureau\nreported timely               factors contributed to the late reporting. First,       awareness of the CDFI Fund\xe2\x80\x99s         (TTB), which is now responsible for\n                              the incident occurred outside of normal                 policies and procedures.             reporting incidents to TCSIRC.\n                              working hours. Second, the incident was             2   Remind all CDFI Fund staff of\n                              reported in a monthly report, 36 days late. The         their responsibility to timely\n                              delay in reporting was caused by CDFI                   report security incidents,\n                              Fund\xe2\x80\x99s officials incorrectly categorizing the           including events such as the loss\n                              incident. A CDFI Fund official also attributed          of mobile devices with one hour,\n                              the untimely reporting to the infrequent nature         to the CDFI Fund\xe2\x80\x99s IT team.\n                              of security incidents and the staff\xe2\x80\x99s                   Such reminders could be\n                              unfamiliarity with required reporting time              incorporated into employee\xe2\x80\x99s\n                              frames for Category 1 incidents.                        annual security awareness training\n                                                                                      or be included in periodic\n                                                                                      reminders to employees to protect\n                                                                                      sensitive information and report\n                                                                                      the loss of mobile devices to the\n                                                                                      CDFI Fund\xe2\x80\x99s IT team.\n                                                                                  3   Provide the CDFI Fund\n                                                                                      employees the capability to report\n                                                                                      security incidents to the IT team\n                                                                                      outside of normal working hours\n                                                                                      by establishing a shared incident\n\n\n                                                                                                                                                             Page 40\n\x0cStatus of Prior-year Findings                                                                                                                           Appendix II\n\n        Finding #                        Prior-Year Condition                          Recommendation(s)                                     Status\n                                                                                   response e-mail account and/or\n                                                                                   phone number for reporting\n                                                                                   purposes.\n\nFinding #2 \xe2\x80\x93 FMS              FMS employees did not immediately report         We recommend that FMS                      Closed/Untested.\n                              10 of 10 confirmed security incidents to         management:\nSecurity incidents were not   FMS\xe2\x80\x99s help desk as required by FMS policy.                                                  We noted that FMS corrected the design\nreported timely               Additionally, FMS\xe2\x80\x99s information security         1   Revise the current incident            of the Incident Response processes but did\n                              group did not report seven of these confirmed        reporting process and associated       not complete all corrective actions until\n                              security incidents to TCSIRC within the              written procedures to ensure           June 2012 and was unable to test the\n                              required one-hour time period for Category 1         timely reporting. This could           effectiveness. The finding will be tested as\n                              incidents (three security incidents were             include the FMS incident               part of the FY 2013 FISMA evaluation.\n                              reported in one day, two were reported in two        response management notifying\n                              days, and the remaining three were reported in       TCSIRC with suspected or\n                              three days). Rather than report all suspected        confirmed security events without\n                              and confirmed incidents, FMS failed to notify        the need for further FMS\n                              TCSIRC until sufficient evidence was                 Executive management approvals.\n                              gathered and approved by FMS executives as       2   Provide additional training to\n                              required by FMS policies and procedures.             FMS security personnel regarding\n                              Contributing to the untimely reporting was a         FMS\xe2\x80\x99s revised incident response\n                              lack of after-hours coverage by the incident         policies and procedures to ensure\n                              response personnel. Additionally, we                 these policies and procedures are\n                              attributed the untimely reporting by FMS             consistently implemented.\n                              employees to a lack of sufficient awareness      3   Consider, if feasible, a Distributed\n                              and training.                                        Incident Response Team or a\n                                                                                   Partially Outsourced Team to\n                                                                                   achieve 24x7x365 coverage, per\n                                                                                   the NIST SP 800-61, Computer\n                                                                                   Security Incident Handling Guide.\n                                                                                   Such a strategy could involve\n                                                                                   sharing TSIRC resources with\n                                                                                   other Treasury bureaus.\n                                                                               4   Improve FMS employee\n                                                                                   awareness to report both\n                                                                                   confirmed and suspected security\n                                                                                   incidents to the FMS Service\n                                                                                   Desk. FMS could create\n                                                                                   awareness through periodic\n\n\n                                                                                                                                                             Page 41\n\x0cStatus of Prior-year Findings                                                                                                                        Appendix II\n\n        Finding #                        Prior-Year Condition                          Recommendation(s)                                 Status\n                                                                                   reminders via e-mail, posting\n                                                                                   security posters in common\n                                                                                   employee areas, and through\n                                                                                   increased emphasis in annual\n                                                                                   security and awareness training.\n\nFinding #2 \xe2\x80\x93 United States Mint did not report one of the 15 sampled           We recommend that Mint                   Implemented/Closed.\nMint (Mint)                 security incidents to TCSIRC within the            management:\n                            required one-hour time period for a Category                                                Mint has implemented a backup\nSecurity incidents were not 1 incident (the incident took 25 hours to          1   Have all tickets sent to the CSIRC   mechanism, which requires the reporter to\nreported timely             report). The delay in reporting was caused by          group mailbox as opposed to          contact the incident response team by\n                            the assigning of a ticket to a Mint Computer           individual members to ensure that    phone, leave a message, and also send an\n                            Security Incident Response Capability                  tickets are tracked properly.        e-mail to the incident response group e-\n                            (CSIRC) employee who was not in the office         2   Ensure a backup CSIRC member         mail account.\n                            when the incident was reported. When the               in place during the absence and/or\n                            Mint CSIRC employee returned to work, the              unavailability of the primary\n                            required time frame to report the security             individual. The backup CSIRC\n                            incident had passed.                                   member should be notified if the\n                                                                                   primary individual has not\n                                                                                   acknowledged the ticket within a\n                                                                                   designated time period.\n\nFinding #2 \xe2\x80\x93 TIGTA            TIGTA did not report one of the 15 security      We recommend that TIGTA                  Implemented/Closed.\n                              incidents to TCSIRC within the required one-     management:\nSecurity incidents were not   day time period for a Category 3 incident (the                                            TIGTA has updated its incident response\nreported timely               incident took five days to report). The          1   Assign an additional individual as   policies and procedures to provide\n                              untimely reporting of the security incident          a backup resource to the TIGTA       additional guidance over how to properly\n                              was caused by reduced staffing over a holiday        CSIRC for periods of reduced         handle security incidents. Additionally,\n                              period. Upon return, the employee failed to          staffing.                            TIGTA has entered into a contract\n                              take action within the required reporting time   2   Provide the TIGTA CSIRC the          agreement with an external vendor to\n                              frame for Category 3 incidents.                      ability to receive and address       provide additional coverage over incident\n                                                                                   security incidents outside of        response outside normal working hours.\n                                                                                   normal working hours by\n                                                                                   establishing a shared incident\n                                                                                   response e-mail account and/or\n                                                                                   phone number for reporting\n                                                                                   purposes. Additionally, consider\n                                                                                   participating in a shared Incident\n\n\n                                                                                                                                                         Page 42\n\x0cStatus of Prior-year Findings                                                                                                                       Appendix II\n\n        Finding #                      Prior-Year Condition                         Recommendation(s)                                   Status\n                                                                                Response team with another\n                                                                                Treasury bureau to provide\n                                                                                increased capabilities outside of\n                                                                                normal working hours.\n                                                                            3   Provide the TIGTA CSIRC\n                                                                                additional incident response\n                                                                                training to ensure they are aware\n                                                                                of TIGTA\xe2\x80\x99s policies and\n                                                                                procedures, including their\n                                                                                responsibility to timely report\n                                                                                security incidents.\n\nFinding #3 \xe2\x80\x93 DO             NIST and Treasury guidance require that         We recommend that DO management          Partially Implemented/Open.\n                            Treasury SSPs remain up-to-date and current     instruct the vendor to update the SSPs\nSSPs did not fully adopt    with the NIST Risk Management Framework         to include NIST SP 800-53, Rev. 3,       While DO updated the system security\nNIST recommended            and required NIST SP 800-53 security            security controls and associated         plan to reflect NIST SP 800-53, Rev. 3,\nsecurity controls from NIST controls. We noted that one sampled             control enhancements.                    for some controls, not all controls in the\nSpecial Publication (SP)    information system from DO utilized outdated                                             system security plan reflected NIST SP\n800-53, Rev. 3              NIST guidance (Rev. 2). Specifically, the                                                800-53, Rev. 3, guidance.\n                            SSPs did not include all required security\n                            controls as specified in NIST SP 800-53, Rev.\n                            3, Recommend Security Controls for Federal\n                            Information Systems and Organizations, dated\n                            August 2009.\n\n                            We noted that the conditions, cited above for\n                            DO had various factors including the bureau\n                            and vendor\xe2\x80\x99s misunderstanding of contract\n                            requirements to maintain compliance with all\n                            NIST standards.\n\nFinding #3 \xe2\x80\x93 Mint           NIST and Treasury guidance require that         We recommend that Mint                   Implemented/Closed.\n                            Treasury SSPs remain up-to-date and current     management:\nSSPs did not fully adopt    with the NIST Risk Management Framework                                                 Mint updated the system security plans to\nNIST recommended            and required NIST SP 800-53 security            1   Update their Information Security reflect NIST SP 800-53, Rev. 3, controls.\nsecurity controls from NIST controls. We noted that one sampled                 Program\xe2\x80\x99s policies and\nSP 800-53, Rev. 3           information system from Mint utilized               procedures to require that all SSPs\n                            outdated NIST guidance (Rev. 2).                    are updated to include the latest\n\n\n                                                                                                                                                        Page 43\n\x0cStatus of Prior-year Findings                                                                                                                         Appendix II\n\n         Finding #                      Prior-Year Condition                          Recommendation(s)                                     Status\n                            Specifically, the SSPs did not include all            NIST SP 800-53 controls and\n                            required security controls as specified in            control enhancements one year\n                            NIST SP 800-53, Rev. 3, Recommend                     after issued.\n                            Security Controls for Federal Information         2    Ensure that all existing SSPs are\n                            Systems and Organizations, dated August               800-53, Rev. 3 compliant.\n                            2009.\n\n                            We noted that the conditions, cited above for\n                            Mint had various factors including Mint\n                            management had an informal policy to only\n                            update SSPs during reaccreditation; therefore,\n                            the sampled SSPs had not been updated since\n                            the next reaccreditation cycle had not begun.\n\nFinding #3 \xe2\x80\x93 FMS            During the audit period, FMS revised their        We recommend that FMS                 Open.\n                            SSP template and associated checklist to          management ensure that System\nSSPs did not fully adopt    incorporate NIST SP 800-53, Rev. 3, controls.     Owners and ISSOs review and update FMS did not fully implement NIST 800-\nNIST recommended            However, the sampled system\xe2\x80\x99s SSP utilized        SSPs by using the FMS-approved SSP 53, Rev. 3, controls for the SSP.\nsecurity controls from NIST older Rev 2 controls and FMS\xe2\x80\x99s quality            template and baseline security\nSP 800-53, Rev. 3           control process did not reject this sampled       requirements, which incorporate NIST\n                            SSP.                                              SP 800-53, Rev. 3, security controls.\n\nFinding #4 \xe2\x80\x93 FMS            For a sampled application, FMS did not            We recommend that FMS                      Closed/Untested.\n                            document their weekly review of failed login      management:\nInsufficient audit log      events during the FISMA audit period. While                                                  We were informed that all\nreviews                     FMS took actions to address a similar issue in    1   Identify and document significant      recommendations of the FY 2011 finding\n                            a prior-year financial statement audit by             audit events that warrant review       have been addressed. However, We noted\n                            developing audit log review procedures for            and further investigation.             that additional significant audit events\n                            failed login attempts, the limited scope of       2   Update the SSP in order to reflect     were identified and three new reports were\n                            FMS\xe2\x80\x99s corrective actions did not include a            the results of the risk analysis and   created (High Dollar Payee Settlement\n                            risk analysis necessary to identify significant       clearly assign ownership and           Report, Payee Settlement with Name\n                            audit events worthy of review and subsequent          responsibility for implementing        Change Report, and 700-Weekly Frontier\n                            investigations, as suggested by NIST SP 800-          the agreed upon audit log review       Security Audit Report). These reports\n                            53 security control AU-2, Auditable Events.           procedures.                            were available in May 2012, making these\n                            The audit log review and SSP did not address      3   Ensure that sufficient resources       reports not reviewable from July 1, 2011\n                            broader user account activities such as the           are available to implement audit       until May 2012. The finding will be tested\n                            creation of new accounts with administrative          log review procedures.                 as part of the FY 2013 FISMA evaluation.\n                            capabilities or changes in user account\n\n\n                                                                                                                                                          Page 44\n\x0cStatus of Prior-year Findings                                                                                                                       Appendix II\n\n        Finding #                       Prior-Year Condition                         Recommendation(s)                                    Status\n                             permissions. In addition, the proposed audit\n                             log review procedures did not include\n                             monitoring changes to specific information\n                             system components such as the database,\n                             sensitive files, or production source code.\n                             Finally, the implemented audit log procedures\n                             did not address potentially suspicious or\n                             unusual transactions that could be performed\n                             in the sampled payment management system.\n\nFinding #5 \xe2\x80\x93 Bureau of      BPD\xe2\x80\x99s media sanitization process did not         We recommend that BPD                     Implemented/Closed.\nPublic Debt (BPD)           ensure a clear chain of custody and full         management:\n                            accounting of the media throughout the entire                                              BPD developed Standard Operation\nImproper media sanitization media sanitization process. We observed four     1   Implement its BLSRs and               Procedure2.2.85 OIT Excess and Media\nschedule                    unsecured cardboard boxes, containing over           associated procedures on              Sanitation Tracking (hard drives, mobile\n                            150 hard drives waiting to be sanitized,             maintaining a clear chain of          media) to prepare and track media that has\n                            adjacent to the cubicle of the IT specialist         custody, properly securing media      been degaussed.\n                            responsible for media sanitization. These            when stored, and reconciliation of\n                            boxes of hard drives were not stored in a            media received and sent for\n                            secured container or secured room that               destruction.\n                            restricted access to only individuals involved   2   Train BPD IT specialists on the\n                            in the media sanitization process.                   BPD media sanitization policies\n                                                                                 and procedures in order to protect\n                                                                                 the confidentiality of the bureau\xe2\x80\x99s\n                                                                                 sensitive information.\n\nFinding #6 \xe2\x80\x93 FMS           FMS did not record and update security          We recommend that FMS                       Closed/Untested.\n                           vulnerabilities in a timely manner for three    management:\nPOA&Ms were not tracked sampled systems. For the sampled systems,                                                      We noted that FMS corrected the design\nand remediated in          we noted that FMS did not review and revise 1 Perform a comprehensive study of              of the POA&M process but did not\naccordance with NIST and expected completion dates for corrective             FMS\xe2\x80\x99s POA&M management                   complete all corrective actions until the\nDepartment of the Treasury actions, record known high-risk                    practices to resolve ongoing             end of the FISMA Year. We also noted\nrequirements               vulnerabilities that FMS could not close in 60     auditor-identified POA&M                 specific system POA&M issues that stem\n                           days, or correctly report the completion status    challenges. Based on the outcome         from the corrective actions were not being\n                           on outstanding POA&M items. In both the FY         of this study, FMS should                completed until later in the year. The\n                           2009 and FY 2010 FISMA audits at FMS, we           implement corrective actions             finding will be tested as part of the FY\n                           noted similar POA&M weaknesses for                 designed to ensure complete,             2013 FISMA evaluation.\n                           different information systems. FMS took            accurate and timely reporting of\n\n\n                                                                                                                                                        Page 45\n\x0cStatus of Prior-year Findings                                                                                                          Appendix II\n\n        Finding #                      Prior-Year Condition                       Recommendation(s)                          Status\n                            corrective actions to resolve the immediate       POA&M items.\n                            instances of noncompliance; however, FMS      2   Strengthen FMS\xe2\x80\x99s existing\n                            did not resolve bureau wide challenges to         policies and procedures regarding\n                            accurately and sufficiently report all system     POA&Ms based on the outcome\n                            security weaknesses in POA&Ms. A lack of          of FMS\xe2\x80\x99s study. The revised FMS\n                            System Owner and ISSO accountability, as          policies and procedures should\n                            indicated in their Appointment Letter, and        define roles, responsibilities, and\n                            communication issues between ISSO and             expected communication\n                            FMS\xe2\x80\x99s information security group contributed      frequency among key participants\n                            to the conditions described above.                and decision makers.\n                                                                          3   Promote increased involvement\n                                                                              by FMS executives and\n                                                                              Authorizing Officials in the\n                                                                              POA&M management process.\n                                                                              Such actions could include\n                                                                              establishing performance metrics\n                                                                              and associated incentives and/or\n                                                                              disincentives for FMS\n                                                                              management personnel to\n                                                                              accurately report and resolve\n                                                                              noted security weaknesses in their\n                                                                              portfolio of information systems.\n                                                                          4   Promote personal accountability\n                                                                              for executing information security\n                                                                              responsibilities, such as those\n                                                                              listed in the ISSO and System\n                                                                              Owner Appointment Letters, by\n                                                                              incorporating those\n                                                                              responsibilities and expected\n                                                                              outcomes in the employees\xe2\x80\x99\n                                                                              Annual Performance Plan.\n\nFinding #6 \xe2\x80\x93 OTS           At OTS, we observed that OTS system            We have no recommendation for OTS Implemented/Closed.\n                           administrators were aware of a high-risk       management to improve the POA&M\nPOA&Ms were not tracked security vulnerability in one of the sampled      process as OTS ceased operations on The OTS system was decommissioned.\nand remediated in          information systems for over a 30-day period   July 21, 2011 due to the Dodd-Frank\naccordance with NIST and and did not record this weakness in the          Wall Street Reform and Consumer\nDepartment of the Treasury system\xe2\x80\x99s POA&M. Regarding the untimely         Protection Act.\n\n\n                                                                                                                                           Page 46\n\x0cStatus of Prior-year Findings                                                                                                                        Appendix II\n\n        Finding #                        Prior-Year Condition                          Recommendation(s)                                 Status\nrequirements                 update of the POA&M at OTS, management\n                             indicated that other operational priorities,\n                             associated with the transition of bank\n                             supervisory responsibilities to the Office of\n                             the Comptroller of the Currency, were a\n                             higher priority.\n\nFinding #7 \xe2\x80\x93 CDFI Fund       The CDFI Fund did not ensure that its service     We recommend that the CDFI Fund          Implemented/Closed.\n                             provider, TTB, conducted monthly                  management:\nVulnerability scanning and   vulnerability scans of its Web server as                                                CDFI modified its Interconnection\nremediation was not          required by Treasury and the CDFI Fund\xe2\x80\x99s IT       1   Revise the Interconnection        Security Agreement with TTB to clearly\nperformed in accordance      security policy. Although the CDFI Fund               Security Agreement with TTB to assign vulnerability scanning roles and\nwith Department of the       outsourced the hosting of its infrastructure to       define clear roles and            responsibilities.\nTreasury requirements        TTB, the CDFI Fund did not require TTB to             responsibilities for providing\n                             conduct monthly vulnerability scans of the            services and implementing\n                             CDFI Fund Web server in their                         associated security controls such\n                             Interconnection Security Agreement.                   as vulnerability scanning.\n                                                                               2   Enhance the continuous\n                                                                                   monitoring strategy for\n                                                                                   outsourced information systems to\n                                                                                   ensure that NIST and Treasury\n                                                                                   required security controls are\n                                                                                   implemented and operating\n                                                                                   effectively. As part of the\n                                                                                   strategy, share the results with\n                                                                                   appropriate CDFI Fund System\n                                                                                   Owners and IT management.\n\nFinding #7 \xe2\x80\x93 DO              A DO system\xe2\x80\x99s vulnerability scan report from      We recommend that DO management          Implemented/Closed.\n                             October 2010 contained multiple high-risk         direct personnel charged with\nVulnerability scanning and   vulnerabilities that were not remediated 30       remediating vulnerabilities to track     DO has directed personnel to follow\nremediation was not          days after discovery as required by DO\xe2\x80\x99s IT       open, unresolved vulnerabilities in      bureau-level policies and procedures over\nperformed in accordance      Security policy. For the sampled information      system POA&Ms when the                   inputting open vulnerabilities to\nwith Department of the       system, DO\xe2\x80\x99s vendor deemed certain devices        anticipated remediation will exceed 30   POA&Ms. DO personnel have updated\nTreasury requirements        to not be essential to the successful operation   days.                                    POA&Ms to include open vulnerabilities.\n                             of the information system, and therefore did                                               Additionally, DO has updated its\n                             not patch those devices.                                                                   vulnerability scan process to include all\n                                                                                                                        system devices to identify all flaws.\n\n\n                                                                                                                                                         Page 47\n\x0cStatus of Prior-year Findings                                                                                                                           Appendix II\n\n         Finding #                        Prior-Year Condition                           Recommendation(s)                                   Status\nFinding #7 \xe2\x80\x93 OTS              OTS did not consistently scan its application      We are not making a recommendation Implemented/Closed.\n                              servers on a monthly basis as required by          to OTS Management as this finding\nVulnerability scanning and    NIST and Department of the Treasury                relates to process gaps in the OTS    The OTS system was decommissioned.\nremediation was not           requirements and OTS Continuous                    vulnerability scanning procedures and\nperformed in accordance       Monitoring procedures. OTS personnel               OTS ceased operations on July 21,\nwith Department of the        verbally outlined to a risk-based set of           2011 due to the Dodd-Frank Wall\nTreasury requirements         scanning frequencies that was not documented       Street Reform and Consumer\n                              and not verifiable at the system level. Further,   Protection Act.\n                              we noted that OTS management was aware of\n                              these flaws and indicated that it lacked the\n                              resources to scan more frequently\n\nFinding #8 \xe2\x80\x93 DO             Daily incremental and weekly fully backups           We recommend that DO management: Implemented/Closed.\n                            of DO data to tape for one sampled DO\nContingency planning and    system was not performed by DO Operations            1   Adhere to the defined frequency        DO has updated backup process to\ntesting and backup controls as defined by the DO SSP and the DO                      of backup jobs as stated by the        perform frequent backups on a daily and\nwere not fully implemented Information Technology Security Handbook.                 DO SSP. Incremental backups to         weekly basis and test backups on a\nor operating as designed    Both the DO SSP and DO Information                       tape should be performed on a          monthly basis. Additionally, DO has\n                            Technology Security Handbook require                     daily basis while full backups         increased the backup storage capacity.\n                            incremental daily backups and full weekly                should be performed on a weekly\n                            backups. DO Operations only performed                    basis.\n                            successful incremental backups to tapes three        2   Determine whether an upgraded\n                            to four times a month beginning in January               version of DO\xe2\x80\x99s backup solution\n                            2011. The infrequency of backups was due to              or a different backup tool will\n                            an insufficient backup system, whose server              remediate unexpected server\n                            had to be continually restarted (i.e., rebooted).        shutdowns and restarts.\n                            Prior to January 2011, DO did not retain the         3   Perform a monthly test of\n                            data or records from backups. This was due to            physical tapes to verify their\n                            a lack of sufficient storage on tapes.                   reliability and integrity as defined\n                            Additionally, backups were not tested to                 within the DO SSP. If the tapes\n                            determine if they were reliable and complete.            fail, replace the tapes as needed.\n                            Finally, for another sampled DO system, DO           4   Increase backup storage capacity\n                            lacked a backup process for configuration                to ensure that archived data is not\n                            files residing in firewalls, intrusion prevention        overwritten prematurely and data\n                            systems and Transport Support Devices (e.g.,             retention standards are observed.\n                            routers, switches, etc.). We observed that DO\n                            management was unaware of this issue. Once\n                            informed of this significant security\n\n\n                                                                                                                                                            Page 48\n\x0cStatus of Prior-year Findings                                                                                                                         Appendix II\n\n        Finding #                        Prior-Year Condition                          Recommendation(s)                                  Status\n                             weakness, DO management created a\n                             POA&M item to track the issue to closure.\n\nFinding #8 \xe2\x80\x93 FMS            FMS did not complete a failover, and               We recommend that FMS                     Open.\n                            contingency plan test for two Critical             management expedite the planned\nContingency planning and    Infrastructure Protection (CIP) payment            disaster recovery testing at the          FMS did not perform failover testing\ntesting and backup controls management systems residing at FMS in              alternate recovery site to confirm that   during the FISMA testing period for the\nwere not fully implemented accordance with FMS security standards and          (a) FMS can resume mission critical       two systems.\nor operating as designed    NIST SP 800-53 Rev. 3 requirements. During         functions within the stated two-hour\n                            the nine-month period from October 1, 2010         recovery window and (b) the\n                            through June 30, 2011, these two CIP systems       applications can operate successfully\n                            processed 911 million payments totaling            and communicate with other essential\n                            $1.93 trillion . These two systems process         applications and third parties.\n                            approximately all Social Security\n                            Administration payments, Medicare and\n                            Medicaid payments, IRS tax refunds, Veteran\n                            Affairs payments, and other United States\n                            government vendor payments. However, these\n                            two systems had only undergone a tabletop\n                            disaster recovery test during FY 2010 and\n                            FY 2011 and had not completed a full disaster\n                            recovery test at the recovery site in the prior\n                            two years. Per FMS and NIST SP 800-34\n                            requirements, disaster recovery simulation\n                            exercises, such as tabletop exercises, are\n                            sufficient for \xe2\x80\x9cModerate\xe2\x80\x9d systems but not\n                            \xe2\x80\x9cHigh\xe2\x80\x9d impact systems. FMS categorized\n                            these CIP systems as having a \xe2\x80\x9cHigh\xe2\x80\x9d FIPS\n                            199 impact rating with a two-hour recovery\n                            time objective. This designation requires FMS\n                            to perform a failover, recovery and\n                            reconstitution (including communications\n                            with applications and third parties) of critical\n                            systems at an alternate site on an annual basis.\n                            FMS delayed failover contingency plan tests\n                            in FY 2011 and FY 2010 due to operational\n                            priorities to relocate and consolidate data\n                            centers.\n\n\n                                                                                                                                                          Page 49\n\x0cStatus of Prior-year Findings                                                                                                                 Appendix II\n\n        Finding #                      Prior-Year Condition                        Recommendation(s)                              Status\n\n\nFinding #8 \xe2\x80\x93 TTB            Backups were not consistently successful or    We recommend that TTB                Implemented/Closed.\n                            completed on a scheduled basis at TTB. For     management develop and implement\nContingency planning and    the sampled TTB system, 69 (42 percent) of     policies and procedures to detect    TTB has closed this prior-year finding\ntesting and backup controls the 164 sampled scheduled jobs were            backup failures and remediate        since they now conduct their own system\nwere not fully implemented unsuccessful. Additionally, daily backups did   unsuccessful backups.                backups, rather than outsource the\nor operating as designed    not occur on 39 (11 percent) of 365 days.                                           responsibility. We tested the effectiveness\n                            TTB system backups were performed by a                                              of this control as part of the 2012 FISMA\n                            service provider and TTB management did                                             audit by inspecting evidence of the\n                            not have policies and procedures in place to                                        successful completion of backups.\n                            detect the backup failures or require their\n                            service provider to notify TTB when\n                            scheduled backups were not performed or\n                            backup jobs failed.\n\nFinding #8 \xe2\x80\x93 TIGTA          The selected TIGTA system lacked sufficient Based on TIGTA\xe2\x80\x99s planned corrective Open.\n                            documentation regarding the system\xe2\x80\x99s         actions, we are not making a\nContingency planning and    contingency plan and contingency plan        recommendation.                    TIGTA has not finished completing its\ntesting and backup controls testing. Specifically, the documentation did                                    corrective action.\nwere not fully implemented not include certain key software used. TIGTA\nor operating as designed    management identified these weaknesses\n                            during a 2010 security assessment and\n                            established two POA&M items with\n                            scheduled completion dates of January 2012\n                            and June 2012.\n\nFinding #9 \xe2\x80\x93 OTS            OTS utilized an unsupported operating system   Following the notification and          Implemented/Closed.\n                            whose vendor ceased releasing new security     discussion of the vulnerability with\nOutdated and unsupported    patches to resolve new security exploits and   OTS IT personnel, OTS moved the         The OTS system was decommissioned.\nsoftware was utilized       software flaws. Although the application       application server to a virtual machine\n                            server resided behind the OTS firewall, the    running a supported operating system.\n                            application server was vulnerable to new       OTS also provided evidence that all\n                            security exploits and viruses due to an        required security patches were\n                            outdated operating system.                     installed. We are not making a\n                                                                           recommendation to OTS management\n                                                                           as they took corrective actions to\n                                                                           resolve the noted vulnerability.\n\n\n\n\n                                                                                                                                                  Page 50\n\x0cStatus of Prior-year Findings                                                                                                                   Appendix II\n\n        Finding #                     Prior-Year Condition                           Recommendation(s)                               Status\nFinding #10 \xe2\x80\x93 TIGTA       TIGTA was aware of the requirement to          Based on TIGTA\xe2\x80\x99s planned corrective Open.\n                          comply with NIST SP 800-37, Rev 1, Guide       actions, we are not making a\nRisk management program   for Applying the Risk Management               recommendation.                     TIGTA has not finished completing its\nwas not consistent with   Framework to Federal Information Systems,                                          corrective action.\nNIST SP 800-37, Rev. 1    by February 2011, but had not updated the\n                          risk management program at the time of the\n                          FY 2011 FISMA audit. As NIST SP 800-37\n                          Rev 1 was issued in February 2010, OMB\n                          requires federal agencies to adopt this NIST\n                          guidance within one year of issuance. We did\n                          not determine a cause as the weakness was\n                          self-reported. TIGTA created a POA&M item\n                          to address identified gaps and developed\n                          corrective actions to become compliant, with\n                          a completion date of August 2014. An\n                          insufficient risk management program can\n                          lead to ineffective risk-based decision-making\n                          and untimely implementation of system-level\n                          controls.\n\nFinding #11 \xe2\x80\x93 Financial   FinCEN was unable to provide completed             We recommend that the FinCEN          Implemented/Closed.\nCrimes Enforcement        personnel separation forms for 18 of 25            management:\nNetwork (FinCEN)          separated employees and contractors sampled                                               FinCEN revised documentation to require\n                          as evidence that it completed its exit clearance   1   Provide training on the            forms to be stored on a central shared\nImproper personnel        procedures. For 14 of the 18 individuals               requirements of FinCEN\xe2\x80\x99s           drive. Share drive is only accessible to\ntermination procedures    missing a separation form, additional                  Personnel Separations Process      authorized personnel.\n                          evidence, substantiating that these individuals        Directive regarding employee\n                          returned all government issued property, was           separation to all parties involved\n                          inconclusive. FinCEN indicated that these              in the exit process.\n                          forms were likely lost or misplaced as the         2   Maintain the employee exit forms\n                          employee and contractor separation process             in accordance with Treasury\n                          was manual and involved a paper, rather than           records management\n                          electronic, form. Nevertheless, FinCEN                 requirements.\n                          asserted the separation process was followed\n                          for all departing employees, regardless of the\n                          missing forms.\n\nFinding #12 \xe2\x80\x93 DO          A sampled DO system did not implement              Based on DO\xe2\x80\x99s planned corrective      Implemented/Closed.\n\n\n                                                                                                                                                    Page 51\n\x0cStatus of Prior-year Findings                                                                                                             Appendix II\n\n        Finding #                    Prior-Year Condition                        Recommendation(s)                             Status\n                          FDCC configurations for its desktops or        actions, we are not making a\nImproper system           obtain a waiver to implement a different       recommendation.                      DO enforced baselines for the system\nconfiguration programs    standard. DO management self-reported this                                          through Group Policy Objects.\n                          weakness and created a POA&M for it.                                                Additionally, DO has maintained an\n                                                                                                              approved Federal Desktop Core\n                                                                                                              Configuration deviation memo.\n\nFinding #12 \xe2\x80\x93 TIGTA       The sampled TIGTA system lacked formal         Based on TIGTA\xe2\x80\x99s planned corrective Open.\n                          documentation in certain areas of              actions, we are not making a\nImproper system           configuration management. TIGTA                recommendation.                     TIGTA has not finished completing its\nconfiguration programs    management identified this weakness in a                                           corrective action.\n                          2010 security assessment and created\n                          POA&M remediation actions to address the\n                          weaknesses identified with a completion date\n                          of May 2012.\n\n\n\n\n                                                                                                                                              Page 52\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2012 Questions for Inspectors General                                  Appendix III\n\nAPPENDIX III \xe2\x80\x93 THE DEPARTMENT OF THE TREASURY\xe2\x80\x99S CONSOLIDATED RESPONSE TO DHS\xe2\x80\x99s FISMA 2012\nQUESTIONS FOR INSPECTORS GENERAL\n\nThe information included in Appendix III represents the Department of the Treasury\xe2\x80\x99s consolidated responses to Department of Homeland\nSecurity\xe2\x80\x99s (DHS) FISMA 2012 questions for Inspectors General. KPMG prepared responses to DHS questions based on an assessment of 15\ninformation systems across 13 Treasury components, excluding the IRS, OIG and TIGTA. TIGTA performed audit procedures over the IRS\ninformation systems and provided their answers to the Treasury OIG and KPMG for consolidation. These answers are included within the table\nbelow. The information provided by TIGTA has not been subjected to KPMG audit procedures and, accordingly, we express no opinion on it.\n\n1: Continuous Monitoring\nStatus of Continuous Monitoring         1.1. Has the Organization established an enterprise-wide continuous monitoring program that assesses the security\nProgram [check one: Yes or No]          state of information systems that is consistent with FISMA requirements, OMB policy, and applicable NIST\n                                  Yes   guidelines? If yes, besides the improvement opportunities that may have been identified by the OIG, does the\n                                        program include the following attributes:\n                                  Yes        1.1.1. Documented policies and procedures for continuous monitoring (NIST 800-53: CA-7).\n                                  Yes        1.1.2. Documented strategy and plans for continuous monitoring (NIST 800-37 Rev 1, Appendix G).\n                                             1.1.3. Ongoing assessments of security controls (system-specific, hybrid, and common) that have been\n                                  Yes\n                                             performed based on the approved continuous monitoring plans (NIST 800-53, NIST 800-53A).\n                                             1.1.4. Provides authorizing officials and other key system officials with security status reports covering\n                                  Yes        updates to security plans and security assessment reports, as well as POA&M additions and updates with the\n                                             frequency defined in the strategy and/or plans (NIST 800-53, NIST 800-53A).\n                                        1.2. Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Continuous Monitoring\n                                        Management Program that was not noted in the questions above.\n\n                                        Comments \xe2\x80\x93 Treasury OIG: FMS did not have sufficient audit logging capability for a selected system. DO did\n                                        not perform audit log reviews for a selected system. FMS did not perform audit log reviews for a selected system.\n                                        (See Finding #4)\n\n2: Configuration Management\nStatus of Configuration                 2.1 Has the Organization established a security configuration management program that is consistent with FISMA\nManagement Program [check one:    Yes       requirements, OMB policy, and applicable NIST guidelines? If yes, besides the improvement opportunities\nYes or No]                                  that may have been identified by the OIG, does the program include the following attributes:\n                                  Yes       2.1.1. Documented policies and procedures for configuration management.\n                                            2.1.2. Standard baseline configurations.\n\n                                  No        Comments \xe2\x80\x93 Treasury OIG: BPD did not document baseline configurations for two selected systems. FMS\n                                            did not document all required aspects of baseline configuration for a selected system. TIGTA did not identify\n                                            standard baseline configurations. (See Finding #10 and Prior-Year Finding #12)\n\n\n\n                                                                                                                                                  Page 53\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2012 Questions for Inspectors General                               Appendix III\n\n                                          2.1.3. Assessing for compliance with baseline configurations\n\n                                          Comments \xe2\x80\x93 Treasury OIG: FinCEN baseline configurations for a selected system did not meet compliance\n                                 No       requirements (See Finding #10)\n\n                                          Comments \xe2\x80\x93 TIGTA: The IRS is still in the process of implementing tools compliant with the Security\n                                          Content Automation Protocol to perform security configuration assessments for Windows and UNIX systems.\n                                          2.1.4. Process for timely, as specified in Organization policy or standards, remediation of scan result\n                                Yes\n                                          deviations.\n                                          2.1.5. For Windows-based components, FDCC/USCGB secure configuration settings fully implemented, and\n                                          any deviations from FDCC/USCGB baseline settings fully documented.\n\n                                 No       Comments \xe2\x80\x93 Treasury OIG: OCC did not implement restrictive settings for two selected systems (See\n                                          Finding #9)\n\n                                          Comments \xe2\x80\x93 TIGTA: The IRS has not yet fully documented Windows 7 FDCC/USGCB deviations.\n                                          2.1.6. Documented proposed or actual changes to the hardware and software configurations\n\n                                          Comments \xe2\x80\x93 Treasury OIG: DO did not track and detect unauthorized changes to a selected system (See\n                                          Finding #9)\n                                 No\n                                          Comments \xe2\x80\x93 TIGTA: The IRS had not yet fully implemented configuration and change management controls\n                                          to ensure that proposed or actual changes to hardware and software configurations are documented. During\n                                          FY 2012, the Enterprise Services organization was in the process of implementing the Enterprise\n                                          Configuration Management System to provide an enterprise solution for configuration and change\n                                          management.\n                                          2.1.7. Process for the timely and secure installation of software patches.\n\n                                 No       Comments \xe2\x80\x93 TIGTA: During the FY 2012 FISMA evaluation period, a TIGTA audit to evaluate the IRS\xe2\x80\x99s\n                                          enterprise-wide patch management process identified that critical patches continue to be missing or are\n                                          installed in an untimely manner on IRS computers.\n                                          2.1.8. Software assessing (scanning) capabilities are fully implemented (NIST 800-53: RA-5, SI-2).\n\n                                          Comments \xe2\x80\x93 Treasury OIG: FMS was unable to provide evidence that scanning was being performed for\n                                          two selected systems. (See Finding #6 and Financial Statement Finding #3).\n                                 No\n                                          Comments \xe2\x80\x93 TIGTA: The IRS\xe2\x80\x99s software assessing (scanning) capabilities are not yet fully implemented.\n                                          The IRS Cybersecurity organization is still in the process of coordinating with information system owners to\n                                          implement vulnerability scanning enterprise-wide. For vulnerability scans the IRS did conduct, analyses of\n\n\n\n                                                                                                                                               Page 54\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2012 Questions for Inspectors General                                 Appendix III\n\n                                           2.1.3. Assessing for compliance with baseline configurations\n\n                                           Comments \xe2\x80\x93 Treasury OIG: FinCEN baseline configurations for a selected system did not meet compliance\n                                 No        requirements (See Finding #10)\n\n                                           Comments \xe2\x80\x93 TIGTA: The IRS is still in the process of implementing tools compliant with the Security\n                                           Content Automation Protocol to perform security configuration assessments for Windows and UNIX systems.\n                                           the scans were not being performed by the system owners. In addition, the IRS has not yet deployed an\n                                           automated mechanism to detect the presence of unauthorized software on IRS information systems.\n                                           2.1.9. Configuration-related vulnerabilities, including scan findings, have been remediated in a timely manner,\n                                           as specified in Organization policy or standards (NIST 800-53: CM-4, CM-6, RA-5, SI-2).\n\n                                           Comments \xe2\x80\x93 Treasury OIG: Mint, OCC, BPD, and DO did not remediate vulnerabilities in a timely manner\n                                           (See Finding #6)\n                                 No\n                                           Comments \xe2\x80\x93 TIGTA: In June 2012, the TIGTA reported that monthly scanning results were not consistently\n                                           being used to correct improper settings on Windows servers in a timely manner, but rather, security\n                                           vulnerabilities of high, medium, and low risk levels were repeatedly reported on Windows Policy Checker\n                                           reports for two or three consecutive months.\n                                           2.1.10. Patch management process is fully developed, as specified in Organization policy or standards (NIST\n                                           800-53: CM-3, SI-2).\n\n                                 No         Comments \xe2\x80\x93 TIGTA: Due to the lack of enterprise-level oversight and leadership, the IRS has not yet\n                                            implemented key elements of its patch management policies and procedures that are needed to ensure all IRS\n                                            systems are patched timely and operating securely. The IRS\xe2\x80\x99s current monitoring processes are not sufficient\n                                            to ensure that vulnerabilities resulting from unpatched systems are successfully and timely remediated.\n                                       2.2. Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Configuration\n                                       Management Program that was not noted in the questions above.\n\n                                       Comments \xe2\x80\x93 Treasury OIG: FMS did not have a management-approved list of all privileged programs that reside\n                                       on the mainframe. Federal Financing Bank (FFB) had discrepancies in the cash receipt amounts included in the\n                                       cash receipt report. (See Financial Statement Finding #2 and Financial Statement Finding #7)\n\n                                       Comments \xe2\x80\x93 TIGTA: The IRS should ensure that data collected by its various tools and organizations will be\n                                       efficiently utilized and that the IRS is not developing duplicative configuration management processes or products.\n                                       For example, our discussions with the IRS Cybersecurity and Enterprise Services organizations revealed that an\n                                       approach for integrating the configuration management data collected by both organizations has not yet been\n                                       formulated.\n\n\n\n\n                                                                                                                                                 Page 55\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2012 Questions for Inspectors General                                  Appendix III\n\n3: Identity and Access Management\nStatus of Identity and Access          3.1 Has the Organization established an identity and access management program that is consistent with FISMA\nManagement Program [check one:             requirements, OMB policy, and applicable NIST guidelines and identifies users and network devices? If yes,\n                                 Yes\nYes or No]                                 besides the improvement opportunities that have been identified by the OIG, does the program include the\n                                           following attributes:\n                                           3.1.1. Documented policies and procedures for account and identity management (NIST 800-53: AC-1)\n                                 No\n                                           Comments \xe2\x80\x93 Treasury OIG: TIGTA did not formally document account management activities for a selected\n                                           system (See Prior-Year Finding #1)\n                                           3.1.2. Identifies all users, including federal employees, contractors, and others who access Organization\n                                 Yes\n                                           systems.\n                                           3.1.3. Identifies when special access requirements (e.g., multi-factor authentication) are necessary.\n                                 No        Comments \xe2\x80\x93 Treasury OIG: FMS did not fully implement multifactor authentication as required by NIST\n                                           and Treasury guidance (See Finding #11).\n                                           3.1.4. If multi-factor authentication is in use, it is linked to the Organization\'s PIV program.\n\n                                 No        Comments \xe2\x80\x93 TIGTA: The IRS has not deployed multifactor authentication via the use of an HSPD-12 PIV\n                                           card for all users for network and local access to nonprivileged or privileged accounts as required by Federal\n                                           mandate.\n                                           3.1.5. Organization has adequately planned for implementation of PIV for logical access in accordance with\n                                           Treasury policies (HSPD 12, FIPS 201, OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11).\n                                 No\n                                           Comments \xe2\x80\x93 TIGTA: The IRS has experienced significant delays in deploying PIV cards for logical access,\n                                           which reveals the IRS\xe2\x80\x99s inadequate planning efforts.\n                                           3.1.6. Ensures that the users are granted access based on needs and separation of duties principles.\n\n                                           Comments \xe2\x80\x93 Treasury OIG: FinCEN had a user account with access permissions that were not longer\n                                           necessary. FMS did not document separation of duties principles (See Finding #1 and Financial Statement\n                                 No\n                                           Finding #1)\n\n                                           Comments \xe2\x80\x93 TIGTA: Two of the three general support systems in our sample of 10 IRS systems did not have\n                                           the controls in place to ensure users are granted access based on needs or to enforce separation of duties.\n\n\n\n\n                                                                                                                                                  Page 56\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2012 Questions for Inspectors General                                   Appendix III\n\n\n                                           3.1.7. Identifies devices that are attached to the network and distinguishes these devices from users (for\n                                           example: IP, phones, faxes, printers, are examples of devices attached to the network that are distinguishable\n                                           from desktops, laptops, or servers that uses accounts).\n                                 No\n                                           Comments \xe2\x80\x93 TIGTA: The IRS informed us that Business DNA will be its enterprise asset discovery tool for\n                                           identifying devices on its network. Business DNA network scans can identify devices with internet protocol\n                                           addresses that are attached to the network and distinguish these devices from users. However, the full\n                                           implementation of the Business DNA tool is not expected to be completed until September 2012.\n                                           3.1.8. Identifies all User and Non-User Accounts (refers to user accounts that are on a system. Examples of\n                                           non-user accounts are accounts such as an IP that is set up for printing. Data user accounts are created to pull\n                                           generic information from a database or a guest/anonymous account for generic login purposes that are not\n                                 No        associated with a single user or a specific group of users).\n\n                                           Comments \xe2\x80\x93 TIGTA: No information was provided to determine how the IRS identifies all user and nonuser\n                                           accounts.\n                                           3.1.9. Ensures that accounts are terminated or deactivated once access is no longer required.\n\n                                           Comments \xe2\x80\x93 Treasury OIG: TTB did not properly terminate accounts as required by NIST and Treasury\n                                           guidance. FMS did not properly terminate inactive accounts. (See Finding #1 and Prior-Year Finding #1)\n                                 No\n                                           Comments \xe2\x80\x93 TIGTA: Three systems in our sample of 10 IRS systems (two general support systems and one\n                                           application) did not have controls in place to ensure accounts are terminated or deactivated once access is no\n                                           longer needed.\n                                           3.1.10. Identifies and controls use of shared accounts.\n\n                                            Comments \xe2\x80\x93 TIGTA: One of the general support systems in our sample of 10 IRS systems was not\n                                 No         adequately identifying and controlling use of shared accounts. Also, in June 2012, the TIGTA reported that\n                                            administrative accounts on Windows servers were not being properly safeguarded in accordance with IRS\n                                            policy. Consequently, individual accountability was lost as to by whom and for what purposes these full-\n                                            privileged accounts were being accessed.\n                                       3.2. Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Identity and Access\n                                       Management that was not noted in the questions above.\n\n                                       Comments \xe2\x80\x93 Treasury OIG: OCC did not incorporate all user accounts into periodic access review. FinCEN did\n                                       not review access permissions on a annual basis. DO did not formally document all access request forms. BPD was\n                                       unable to provide evidence of user last log on for testing of inactive users (See Finding #1)\n\n\n\n\n                                                                                                                                                   Page 57\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2012 Questions for Inspectors General                                   Appendix III\n\n4: Incident Response and Reporting\nStatus of Incident Response and         4.1 Has the Organization established an incident response and reporting program that is consistent with FISMA\nReporting Program [check one:     Yes       requirements, OMB policy, and applicable NIST guidelines? If yes, besides the improvement opportunities\nYes or No]                                  that may have been identified by the OIG, does the program include the following attributes:\n                                            4.1.1. Documented policies and procedures for detecting, responding, and reporting to incidents (NIST 800-\n                                  Yes\n                                            53: IR-1).\n                                  Yes       4.1.2. Comprehensive analysis, validation, and documentation of incidents.\n                                            4.1.3. When applicable, reports to US-CERT within established time frames (NIST 800-53, 800-61, and OMB\n                                            M-07-16, M-06-19).\n                                  No\n                                             Comments \xe2\x80\x93 Treasury OIG: BEP, BPD, and FinCEN did not report incidents within required time frames.\n                                             FMS did not report incidents within required time frames (See Finding #2 and Prior-Year Finding #2)\n                                  Yes        4.1.4. When applicable, reports to law enforcement within established time frames (SP 800-86).\n                                             4.1.5. Responds to and resolves incidents in a timely manner, as specified in Organization policy or standards,\n                                  Yes\n                                             to minimize further damage (NIST 800-53, 800-61, and OMB M-07-16, M-06-19).\n                                  Yes        4.1.6. Is capable of tracking and managing risks in a virtual/cloud environment, if applicable.\n                                  Yes        4.1.7. Is capable of correlating incidents.\n                                             4.1.8. There is sufficient incident monitoring and detection coverage in accordance with government policy\n                                  Yes\n                                             (NIST 800-53, 800-61, and OMB M-07-16, M-06-19).\n                                        4.2. Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Incident Response and\n                                        Reporting Program that was not noted in the questions above.\n\n5: Risk Management\nStatus of Risk Management               5.1 Has the Organization established a risk management program that is consistent with FISMA requirements,\nProgram [check one: Yes or No]    Yes       OMB policy, and applicable NIST guidelines? If yes, besides the improvement opportunities that may have\n                                            been identified by the OIG, does the program include the following attributes:\n                                            5.1.1. Documented and centrally accessible policies and procedures for risk management, including\n                                  Yes\n                                            descriptions of the roles and responsibilities of participants in this process.\n                                            5.1.2. Addresses risk from an organization perspective with the development of a comprehensive governance\n                                            structure and organization-wide risk management strategy as described in NIST 800-37, Revision 1.\n                                  No\n                                            Comments \xe2\x80\x93 Treasury OIG: TIGTA did not update risk management program with NIST 800-37 guidance\n                                            (See Prior-Year Finding #10)\n                                            5.1.3. Addresses risk from a mission and business process perspective and is guided by the risk decisions at\n                                            the organizational perspective, as described in NIST 800-37, Revision 1.\n                                  No\n                                            Comments \xe2\x80\x93 Treasury OIG: TIGTA did not update risk management program with NIST 800-37 guidance\n                                            (See Prior-Year Finding #10)\n                                            5.1.4. Addresses risk from an information system perspective and is guided by the risk decisions at the\n                                  Yes\n                                            organizational perspective and the mission and business perspective, as described in NIST 800-37, Revision 1.\n\n\n                                                                                                                                                    Page 58\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2012 Questions for Inspectors General                                      Appendix III\n\n                                 Yes       5.1.5. Categorizes information systems in accordance with government policies.\n                                 Yes       5.1.6. Selects an appropriately tailored set of baseline security controls.\n                                           5.1.7. Implements the tailored set of baseline security controls and describes how the controls are employed\n                                           within the information system and its environment of operation.\n                                 No\n                                           Comments \xe2\x80\x93 Treasury OIG: OCC, FMS, and DO did not adequately document the implementation of\n                                           controls as required by NIST and Treasury guidance. (See Finding #3 and Prior-Year Finding #3)\n                                           5.1.8. Assesses the security controls using appropriate assessment procedures to determine the extent to which\n                                 Yes       the controls are implemented correctly, operating as intended, and producing the desired outcome with respect\n                                           to meeting the security requirements for the system.\n                                           5.1.9. Authorizes information system operation based on a determination of the risk to organizational\n                                 Yes       operations and assets, individuals, other organizations, and the Nation resulting from the operation of the\n                                           information system and the decision that this risk is acceptable.\n                                           5.1.10. Ensures information security controls are monitored on an ongoing basis including assessing control\n                                           effectiveness, documenting changes to the system or its environment of operation, conducting security impact\n                                           analyses of the associated changes, and reporting the security state of the system to designated organizational\n                                 No        officials.\n\n                                            Comments \xe2\x80\x93 Treasury OIG: FinCEN did not update documentation with results from security assessment\n                                            (See Finding #3)\n                                            5.1.11. Information system-specific risks (tactical), mission/business-specific risks and organizational-level\n                                 Yes\n                                            (strategic) risks are communicated to appropriate levels of the organization.\n                                 Yes        5.1.12. Senior Officials are briefed on threat activity on a regular basis by appropriate personnel. (e.g., CISO).\n                                            5.1.13. Prescribes the active involvement of information system owners and common control providers, chief\n                                 Yes        information officers, senior information security officers, authorizing officials, and other roles as applicable in\n                                            the ongoing management of information system-related security risks.\n                                            5.1.14. Security authorization package contains system security plan, security assessment report, and POA&M\n                                 Yes\n                                            in accordance with government policies (SP 800-18, SP 800-37).\n                                            5.1.15. Security authorization package contains Accreditation boundaries for Organization information\n                                 Yes\n                                            systems defined in accordance with government policies.\n                                       5.2. Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Risk Management\n                                       Program that was not noted in the questions above.\n\n6: Security Training\nStatus of Security Training            6.1 Has the Organization established a security training program that is consistent with FISMA requirements,\nProgram [check one: Yes or No]   Yes       OMB policy, and applicable NIST guidelines? If yes, besides the improvement opportunities that may have\n                                           been identified by the OIG, does the program include the following attributes:\n                                 Yes       6.1.1. Documented policies and procedures for security awareness training (NIST 800-54: AT-1).\n                                           6.1.2. Documented policies and procedures for specialized training for users with significant information\n                                 Yes\n                                           security responsibilities.\n\n\n\n                                                                                                                                                      Page 59\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2012 Questions for Inspectors General                                    Appendix III\n\n\n                                           6.1.3. Security training content based on the organization and roles, as specified in Organization policy or\n                                 Yes\n                                           standards.\n                                           6.1.4. Identification and tracking of the status of security awareness training for all personnel (including\n                                 Yes       employees, contractors, and other Organization users) with access privileges that require security awareness\n                                           training.\n                                           6.1.5. Identification and tracking of the status of specialized training for all personnel (including employees,\n                                           contractors, and other Organization users) with significant information security responsibilities that require\n                                           specialized training.\n                                 No\n                                            Comments \xe2\x80\x93 TIGTA: The IRS has not fully implemented identification and tracking of the status of\n                                            specialized role-based training for contractors.\n                                            6.1.6. Training material for security awareness training contains appropriate content for the Organization (SP\n                                 Yes\n                                            800-50, SP 800-53).\n                                       6.2. Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Incident Response and\n                                       Reporting Program that was not noted in the questions above.\n\n7: POA&M\nStatus of POA&M Program [check         7.1 Has the Organization established a POA&M program that is consistent with FISMA requirements, OMB\none: Yes or No]                            policy, and applicable NIST guidelines and tracks and monitors known information security weaknesses? If\n                                 Yes\n                                           yes, besides the improvement opportunities that may have been identified by the OIG, does the program\n                                           include the following attributes:\n                                           7.1.1. Documented policies and procedures for managing all known IT security weaknesses discovered during\n                                 Yes\n                                           security control assessments and requiring remediation.\n                                           7.1.2. Tracks, prioritizes, and remediates weaknesses.\n                                 No\n                                           Comments \xe2\x80\x93 Treasury OIG: FMS did not transfer POA&Ms to BPD (See Financial Statement Finding #4)\n                                 Yes       7.1.3. Ensures remediation plans are effective for correcting weaknesses.\n                                 Yes       7.1.4. Establishes and adheres to milestone remediation dates.\n                                 Yes       7.1.5. Ensures resources are provided for correcting weaknesses.\n                                           7.1.6. POA&Ms include security weaknesses discovered during assessments of security controls and requiring\n                                           remediation (Do not need to include security weakness due to a Risk Based Decision to not implement a\n                                           security control) (OMB M-04-25).\n                                 No\n                                           Comments \xe2\x80\x93 Treasury OIG: DO did not create POA&Ms for security weaknesses discovered during security\n                                           assessment. FMS did not record POA&Ms for non-remediated vulnerabilities (See Finding #5 and Prior-Year\n                                           Finding #6)\n                                           7.1.7. Costs associated with remediating weaknesses are identified (NIST SP 800-53, Rev. 3, Control PM-3\n                                 Yes\n                                           and OMB M-04-25).\n\n\n                                                                                                                                                     Page 60\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2012 Questions for Inspectors General                                   Appendix III\n\n                                            7.1.8. Programs officials and contractors report progress on remediation to CIO on a regular basis, at least\n                                 Yes        quarterly, and the CIO centrally tracks, maintains, and independently reviews/validates the POA&M activities\n                                            at least quarterly (NIST SP 800-53, Rev. 3, Control CA-5 and OMB M-04-25).\n                                       7.2. Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s POA&M Program that\n                                       was not noted in the questions above.\n\n8: Remote Access Management\nStatus of Remote Access                8.1 Has the Organization established a remote access program that is consistent with FISMA requirements, OMB\nManagement Program [check one:   Yes        policy, and applicable NIST guidelines? If yes, besides the improvement opportunities that may have been\nYes or No]                                  identified by the OIG, does the program include the following attributes:\n                                            8.1.1. Documented policies and procedures for authorizing, monitoring, and controlling all methods of remote\n                                 Yes\n                                            access (NIST 800-53: AC-1, AC-17).\n                                 Yes        8.1.2. Protects against unauthorized connections or subversion of authorized connections.\n                                 Yes        8.1.3. Users are uniquely identified and authenticated for all access (NIST 800-46, Section 4.2, Section 5.1).\n                                 Yes        8.1.4. Telecommuting policy is fully developed (NIST 800-46, Section 5.1).\n                                 Yes        8.1.5. If applicable, multifactor authentication is required for remote access (NIST 800-46, Section 2.2, 3.3).\n                                            8.1.6. Authentication mechanisms meet NIST Special Publication 800-63 guidance on remote electronic\n                                 Yes\n                                            authentication, including strength mechanisms.\n                                 Yes        8.1.7. Defines and implements encryption requirements for information transmitted across public networks.\n                                            8.1.8. Remote access sessions, in accordance to OMB M-07-16, are timed-out after a maximum of 30 minutes\n                                 Yes\n                                            of inactivity after which reauthentication is required.\n                                            8.1.9. Lost or stolen devices are disabled and appropriately reported (NIST 800-46, Section 4.3, US-CERT\n                                 Yes\n                                            Incident Reporting Guideline).\n                                            8.1.10. Remote access rules of behavior are adequate in accordance with government policies (NIST 800-53:\n                                 Yes\n                                            PL-4).\n                                            8.1.11. Remote access user agreements are adequate in accordance with government policies (NIST 800-46,\n                                 Yes\n                                            Section 5.1, NIST 800-53, PS-6).\n                                       8.2. Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Remote Access\n                                       Management that was not noted in the questions above.\n\n9: Contingency Planning\nStatus of Contingency Planning         9.1 Has the Organization established an enterprise-wide business continuity/disaster recovery program that is\nProgram [check one: Yes or No]             consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? If yes, besides the\n                                 Yes\n                                           improvement opportunities that may have been identified by the OIG, does the program include the following\n                                           attributes:\n                                           9.1.1. Documented business continuity and disaster recovery policy providing the authority and guidance\n                                 Yes\n                                           necessary to reduce the impact of a disruptive event or disaster (NIST 800-53: CP-1).\n                                 Yes       9.1.2. The agency has performed an overall Business Impact Analysis (NIST SP 800-34).\n\n\n\n\n                                                                                                                                                   Page 61\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2012 Questions for Inspectors General                                    Appendix III\n\n                                           9.1.3. Development and documentation of division, component, and IT infrastructure recovery strategies, plans\n                                           and procedures (NIST SP 800-34).\n                                 No        Comments \xe2\x80\x93 Treasury OIG: DO did not update the contingency plan for a selected system within the\n                                           FISMA year. TIGTA did not have a new operating system integrated into its contingency plan. (See Finding\n                                           #7 and Prior-Year Finding #8)\n                                           9.1.4. Testing of system specific contingency plans.\n                                 No        Comments \xe2\x80\x93 Treasury OIG: FMS and DO did not perform contingency plan testing for selected systems\n                                           (See Finding #7 and Prior-Year Finding #8)\n                                           9.1.5. The documented business continuity and disaster recovery plans are ready for implementation (FCD1,\n                                Yes\n                                           NIST SP 800-34).\n                                           9.1.6. Development of training, testing, and exercises (TT&E) approaches (FCD1, NIST SP 800-34, NIST\n                                Yes\n                                           800-53).\n                                           9.1.7. Performance of regular ongoing testing or exercising of business continuity/disaster recovery plans to\n                                           determine effectiveness and to maintain current plans.\n                                No\n                                           Comments \xe2\x80\x93 Treasury OIG: FMS and DO did not perform contingency plan testing for selected systems\n                                           (See Finding #7 and Prior-Year Finding #8)\n                                           9.1.8. After-action report that addresses issues identified during contingency/disaster recovery exercises\n                                           (FCD1, NIST SP 800-34).\n                                 No\n                                           Comments \xe2\x80\x93 Treasury OIG: FMS and DO did not perform contingency plan testing for selected systems\n                                           (See Finding #7 and Prior-Year Finding #8)\n                                Yes        9.1.9. Systems that have alternate processing sites (FCD1, NIST SP 800-34, NIST SP 800-53).\n                                           9.1.10. Alternate processing sites are subject to the same risks as primary sites (FCD1, NIST SP 800-34, NIST\n                                Yes\n                                           SP 800-53).\n                                           9.1.11. Backups of information that are performed in a timely manner (FCD1, NIST SP 800-34, NIST SP 800-\n                                           53).\n                                 No\n                                            Comments \xe2\x80\x93 Treasury OIG: CDFI did not perform consistent backup for a selected system. BPD was unable\n                                            to provide evidence of backup being performed for a selected system. FMS did not perform testing of backups\n                                            for a financial system (See Finding #8 and Financial Statement Finding #5)\n                                 No         9.1.12. Contingency planning that considers supply chain threats.\n                                       9.2. Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Contingency Planning\n                                       that was not noted in the questions above.\n\n10: Contractor Systems\nStatus of Contractor Systems           10.1 Has the Organization established a program to oversee systems operated on its behalf by contractors or other\n[check one: Yes or No]                      entities, including Organization systems and services residing in the cloud external to the Organization? If yes,\n                                Yes\n                                            besides the improvement opportunities that may have been identified by the OIG, does the program includes\n                                            the following attributes:\n\n\n\n                                                                                                                                                    Page 62\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2012 Questions for Inspectors General                                       Appendix III\n\n                                                10.1.1. Documented policies and procedures for information security oversight of systems operated on the\n                                      Yes       Organization\'s behalf by contractors or other entities, including Organization systems and services residing in\n                                                public cloud.\n                                                10.1.2. The Organization obtains sufficient assurance that security controls of such systems and services are\n                                                effectively implemented and comply with federal and Organization guidelines.\n                                      No\n                                                Comments \xe2\x80\x93 Treasury OIG: FMS did not obtain assurance that IT security controls are in place for service\n                                                providers over select financial systems (See Financial Statement Finding #6)\n                                                10.1.3. A complete inventory of systems operated on the Organization\'s behalf by contractors or other entities,\n                                      Yes\n                                                including Organization systems and services residing in public cloud.\n                                                10.1.4. The inventory identifies interfaces between these systems and Organization-operated systems (NIST\n                                      Yes\n                                                800-53: PM-5).\n                                                10.1.5. The Organization requires appropriate agreements (e.g., Memorandum of Understanding,\n                                      Yes       Interconnection Security Agreements, contracts, etc.) for interfaces between these systems and those that it\n                                                owns and operates.\n                                      Yes       10.1.6. The inventory of contractor systems is updated at least annually.\n                                                10.1.7. Systems that are owned or operated by contractors or entities, including Organization systems and\n                                      Yes       services residing in public cloud, are compliant with FISMA requirements, OMB policy, and applicable NIST\n                                                guidelines.\n                                            10.2. Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Contractor Systems that\n                                            was not noted in the questions above.\n\n11: Security Capital Planning\nStatus of Security Capital Planning         11.1 Has the Organization established a security capital planning and investment program for information security?\n[check one: Yes or No]                Yes        If yes, besides the improvement opportunities that may have been identified by the OIG, does the program\n                                                 include the following attributes:\n                                                 11. 1.1. Documented policies and procedures to address information security in the capital planning and\n                                      Yes\n                                                 investment control process.\n                                      Yes        11.1.2. Includes information security requirements as part of the capital planning and investment process.\n                                                 11.1.3. Establishes a discrete line item for information security in organizational programming and\n                                      Yes\n                                                 documentation (NIST 800-53: SA-2).\n                                                 11.1.4. Employs a business case/Exhibit 300/Exhibit 53 to record the information security resources required\n                                      Yes\n                                                 (NIST 800-53: PM-3).\n                                      Yes        11.1.5. Ensures that information security resources are available for expenditure as planned.\n                                            11.2. Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Security Capital\n                                            Planning that was not noted in the questions above.\n\n\n\n\n                                                                                                                                                       Page 63\n\x0cApproach to Selection of Subset of Systems                                                   Appendix IV\n\nAPPENDIX IV \xe2\x80\x93 APPROACH TO SELECTION OF SUBSET OF SYSTEMS\n\nIn fiscal year (FY) 2012, a risk-based approach was employed to determine the subset of United States\nDepartment of the Treasury (Treasury) information systems for the FISMA Audit. The universe for this\nsubset only included major business applications and general support systems with a security\nclassification of \xe2\x80\x9cmoderate\xe2\x80\x9d or \xe2\x80\x9chigh.\xe2\x80\x9d We used the system inventory contained within the Trusted Agent\nFISMA system (TAF) as the population for this subset.\n\nBased on historical trends in the Treasury systems inventory and past reviews, we used a subset size of 25\nfrom the total population of Treasury major applications and general support systems with a security\nclassification of \xe2\x80\x9cModerate\xe2\x80\x9d or \xe2\x80\x9cHigh.\xe2\x80\x9d Based on their lower risk, we elected not to incorporate any\nsystems with a FIPS 199 System Impact Level of \xe2\x80\x9cLow\xe2\x80\x9d into the population of applications to be\nselected. We then applied the weighting of IRS systems to non-IRS bureau systems to the total subset size\nin order to determine the IRS and non-IRS bureau subset sizes.\n\nTo select the subset, we stratified the full population of Treasury major applications and general support\nsystems by bureau and by FIPS 199 system impact level. We used a risk-based approach to select systems\nout of each stratum. We considered the following factors to select system:\n\n   \xe2\x80\xa2   Total number of systems per bureau.\n   \xe2\x80\xa2   Systems at smaller bureaus not historically included in FISMA audits or evaluations.\n   \xe2\x80\xa2   Number of systems at each bureau with a FIPS system impact level of \xe2\x80\x9cHigh.\xe2\x80\x9d\n   \xe2\x80\xa2   Location of the system.\n   \xe2\x80\xa2   Whether the system is going to be decommissioned prior to December 31, 2012.\n   \xe2\x80\xa2   Whether the system was identified in a previous FISMA audits or evaluations within the past two\n       years.\n\nLastly, the total number of financial systems selected in the subset would not exceed the percentage of\nsystems they represent in the Treasury inventory of information systems. We defined financial systems as\nthose information systems that have been designated as \xe2\x80\x9cFinancial\xe2\x80\x9d or \xe2\x80\x9cMixed Financial\xe2\x80\x9d systems in the\nTreasury\xe2\x80\x99s TAF System.\n\nBased on our analysis of the Treasury inventory of information systems as of April 3, 2012, we noted a\ntotal of 191 major applications and general support systems with a security classification of moderate or\nhigh are contained within the Treasury-wide inventory. The following table provides our analysis of the\ncomposition of the Treasury\xe2\x80\x99s inventory of major applications and general support systems.\n\n                      Total            IRS Financial IRS Non-            Non-IRS           Non-IRS\n                                       Systems       Financial           Financial         Non-\n                                                     Systems             Systems           Financial\n                                                                                           Systems\nMajor\n                           134                2               47                36               49\nApplications\nGeneral Support\n                              57              0               24                4                29\nSystems\nTotal                      191                2               71                40               78\n\n\n\n\n                                                                                                  Page 64\n\x0cApproach to Selection of Subset of Systems                                                                      Appendix IV\n\nFrom the analysis above, it was determined that IRS systems make up 39% of the total population of\nMajor Applications and General Support systems and Non-IRS systems make up 61%. When the IRS to\nNon-IRS weighting is applied to subset size of 25 from the total population, the resulting sizes for the IRS\nand Non-IRS subsets are 10 and 15, respectively.\n\nWe determined that Major Applications account for 72% of the population of the Non-IRS population and\nGeneral Support Systems account for 28%. We further determined that systems designated as \xe2\x80\x9cFinancial\xe2\x80\x9d\nand \xe2\x80\x9cMixed Financial\xe2\x80\x9d in TAF account for 34% of all Non-IRS Major Applications and General Support\nSystems. Lastly, we determined that 29% of the Non-IRS Major Applications and General Support\nSystems are assigned a FIPS 199 System Impact Level of \xe2\x80\x9cHigh,\xe2\x80\x9d while 71% are assigned a FIPS 199\nSystem Impact Level of \xe2\x80\x9cModerate.\xe2\x80\x9d\n\n     Total Selected                                                                              15\n     Total Major Applications                                                                    11\n     Total General Support Systems                                                                4\n     Total Systems with a FIPS 199 System Impact Level of \xe2\x80\x9cHigh\xe2\x80\x9d                                  4\n     Total Systems with a FIPS 199 System Impact Level of \xe2\x80\x9cModerate\xe2\x80\x9d                             11\n     Total Systems with a FIPS 199 System Impact Level of \xe2\x80\x9cLow\xe2\x80\x9d                                   0\n     Total Systems Designated as Financial                                                        5\n\nWe further stratified the number of information systems by each bureau to determine the total percentage\nof information systems at each Non-IRS bureau, based on the total population of all Non-IRS information\nsystems. We used this information as a baseline to determine the total number of systems to select at each\nbureau or office:\n\n         Bureau              Total Systems             Percentage of            Total Number of\n                                                       Total Non-IRS            Non-IRS Systems\n                                                        Population                to be Select\n     BEP                              7                      6%                         1\n     BPD                             14                     12%                         2\n     CDFI Fund                        3                      3%                  1 (See Note 1)\n     DO                              24                     20%                         3\n     FinCEN                           7                      6%                         1\n     FMS                             35                     29%                         3\n     Mint                            10                      8%                         1\n     OCC                              7                      6%                  2 (See Note 2)\n     OTS                              1                      1%                  0 (See Note 2)\n     OIG                              5                      4%                  0 (See Note 3)\n     TIGTA                            2                      2%                  0 (See Note 3)\n     TTB                              3                      3%                  1 (See Note 1)\n     Total                          118                    100%                        15\n        (Note 1: Using this methodology initially did not yield a system being selected at these agencies.\n        However, using our risk-based methodology, we elected to select one system for each of these agencies\n        and decrease the number of systems for FMS.)\n        (Note 2: OCC incorporated two of the OTS Systems into their GSS and the rest of the OTS systems are\n        scheduled to be retired. We elected to sample two systems for OCC and none of the retiring systems.)\n        (Note 3: Per instructions from the OIG, we will not sample any systems from OIG or TIGTA, because\n        their systems had been selected in the past two years.)\n\n\n\n                                                                                                                   Page 65\n\x0cSelected Security Control Classes and Families                                                Appendix V\n\nAPPENDIX V \xe2\x80\x93 SELECTED SECURITY CONTROL CLASSES AND FAMILIES\n\nFederal Information Security Management Act (FISMA) directs the National Institute of Standards and\nTechnology (NIST) to develop and issue standards, guidelines, and other publications to assist federal\nagencies in defining minimum security requirements for non-national security systems used by agencies.\nNIST has developed such standards and guidelines as part of its implementation of FISMA. We based its\nsecurity evaluation on the security controls defined within NIST Special Publication (SP) 800-53, Rev. 3,\nRecommended Security Control for the Federal Information Systems and Organizations. NIST\npublications define a framework for protecting the confidentiality, integrity, and availability of federal\ninformation and information systems consisting of three general classes of controls (i.e., management,\noperational, and technical).\n\nTables on the following pages delineate the specific security controls we performed in accordance with\nNIST SP 800-53. We selected specific test procedures that were applicable to the computing\nenvironment; therefore, not all available security controls within each control family were performed.\n\nManagement Controls\n\nManagement security controls for information systems focus on the management of risk and the\nmanagement of information system security.\n\nWe assessed the following management control areas:\n\n    \xe2\x80\xa2   Security Assessments and Authorizations (CA)\n    \xe2\x80\xa2   Planning (PL)\n    \xe2\x80\xa2   Risk Assessment (RA)\n\nSecurity Assessments and Authorization:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) formal, documented,\nsecurity assessment and authorization policies that address purpose, scope, roles, responsibilities,\nmanagement commitment, coordination among organizational entities, and compliance and (ii) formal,\ndocumented procedures to facilitate the implementation of the security assessment and authorization\npolicies and associated assessment and authorization controls.\n\n                        Security Controls     Title\n                        CA-2                  Security Assessments\n                        CA-5                  Plan of Action and Milestone\n                        CA-6                  Security Authorization\n                        CA-7                  Continuous Monitoring\n\nPlanning:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\nsecurity planning policy that addresses purpose, scope, roles, responsibilities, management commitment,\ncoordination among organizational entities, and compliance and (ii) formal, documented procedures to\nfacilitate the implementation of the security planning policy and associated security planning controls.\n\n                        Procedure            Title\n                        PL-2                 System Security Plan\n\n\n                                                                                                  Page 66\n\x0cSelected Security Control Classes and Families                                              Appendix V\n\n\nRisk Assessment:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented risk\nassessment policy that addresses the purpose, scope, roles, responsibilities, management commitment,\ncoordination among organizational entities, and compliance and (ii) formal, documented procedures to\nfacilitate the implementation of the risk assessment policy and associated risk assessment controls.\n\n                        Procedure              Title\n                        RA-2                   Security Categorization\n                        RA-3                   Risk Assessment\n                        RA-5                   Vulnerability Scanning\n\nOperational Controls\n\nThe operational controls address security methods that focus primarily on mechanisms that people\nimplement and execute (as opposed to systems).\n\nWe assessed the following Operational control areas:\n\n   \xe2\x80\xa2   Configuration Management (CM)\n   \xe2\x80\xa2   Contingency Planning (CP)\n   \xe2\x80\xa2   System and Information Integrity (SI)\n\nConfiguration Management:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\nconfiguration management policy that addresses the purpose, scope, roles, responsibilities, management\ncommitment, coordination among The organization develops, disseminates, and periodically\nreviews/updates (i) a formal, documented, contingency planning policy that addresses the purpose, scope,\nroles, responsibilities, management commitment, coordination among organizational entities, and\ncompliance and (ii) formal, documented procedures to facilitate the implementation of the configuration\nmanagement policy and associated configuration management controls.\n\n                        Procedure              Title\n                        CM-2                   Baseline Configuration\n                        CM-6                   Configuration Settings\n\nContingency Planning:\n\n                        Procedure              Title\n                        CP-2                   Contingency Plan\n                        CP-4                   Contingency Plan Testing and\n                                               Exercises\n                        CP-9                   Information System Backup\n\n\n\n\n                                                                                                Page 67\n\x0cSelected Security Control Classes and Families                                                 Appendix V\n\nSystem and Information Integrity:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\nsystem and information integrity policy that addresses purpose, scope, roles, responsibilities, management\ncommitment, coordination among organizational entities, and compliance and (ii) formal, documented\nprocedures to facilitate the implementation of system and information integrity policy and associated\nsystem and information integrity controls.\n\n                         Procedure            Title\n                         SI-2                 Flaw Remediation\n\nTechnical Controls\n\nTechnical security controls for information systems focus on information systems that primarily control\nthe implementation and execution of the information system through mechanisms contained in the\nhardware, software, or firmware of the system.\n\nWe assessed the following Technical control areas:\n\n    \xe2\x80\xa2   Access Control (AC)\n    \xe2\x80\xa2   Audit and Accountability (AU)\n    \xe2\x80\xa2   Identification and Authentication (IA)\n\nAccess Control:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\naccess control policy that addresses the purpose, scope, roles, responsibilities, management commitment,\ncoordination among organizational entities, and compliance and (ii) formal, documented procedures to\nfacilitate the implementation of the access control policy and associated access controls.\n\n                         Procedure            Title\n                         AC-2                 Account Management\n                         AC-6                 Least Privilege\n\nAudit and Accountability:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\naudit and accountability policy that addresses the purpose, scope, roles, responsibilities, management\ncommitment, coordination among organizational entities, and compliance and (ii) formal, documented\nprocedures to facilitate the implementation of the audit and accountability policy and associated audit and\naccountability controls.\n\n                         Procedure            Title\n                         AU-2                 Auditable Events\n                         AU-6                 Audit Review\n\nIdentification and Authentication:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\nidentification and authentication policy that addresses the purpose, scope, roles, responsibilities,\n\n\n                                                                                                  Page 68\n\x0cSelected Security Control Classes and Families                                                Appendix V\n\nmanagement commitment, coordination among organizational entities, and compliance and (ii) formal,\ndocumented procedures to facilitate the implementation of the identification and authentication policy and\nassociated identification and authentication controls.\n\n                        Procedure             Title\n                        IA-2                  User Identification and\n                                              Authentication\n                        IA-4                  Identifier Management\n\n\n\n\n                                                                                                  Page 69\n\x0cSummary of Other IT Findings from Treasury Financial Statement Audits                                                                            Appendix VI\n\nAPPENDIX VI \xe2\x80\x93 SUMMARY OF OTHER IT FINDINGS FROM TREASURY FINANCIAL STATEMENT AUDITS\nDepartment of the Treasury management will provide responses to the security weakness noted below in a separate report as part of the financial\nstatement audit.\n\n\n    Finding      NIST 800-53                     Condition                                                   Recommendation\n    Number      Control Family\n1               Access Control    For the UNIX Mid-Tier environments           We recommend that FMS management:\n                                  that host significant financial systems,\n                                  FMS and BPD management have not              1.   Develop a segregation of duties (SOD) matrix that complies with the IT\n                                  identified incompatible duties for                security standards from FMS and NIST for sensitive users across the\n                                  sensitive users as required by the FMS            UNIX Mid-Tier environments and use this matrix when assigning access\n                                  Entity-Wide IT Security Standards                 to groups or creating new groups through the change control process.\n                                  Manual; therefore, we could not\n                                  determine if policies were implemented       2.   Analyze existing groups on the UNIX Mid-Tier environments and\n                                  to segregate these duties. Sensitive users        document the following:\n                                  include system administrators, database               a. Description, purpose, and approval of each existing UNIX Mid-\n                                  administrators (DBA), developers,                         Tier group;\n                                  change management support, and                        b. Privileges and actions that each group can perform;\n                                  computer operations personnel.                        c. Job functions and sensitive roles assigned to each group; and\n                                                                                        d. Process to approve, log, and monitor of groups.\n\n                                                                               3.   Remove any inappropriate access that does not comply with SOD matrix.\n\n2               Configuration     (Repeat Condition) FMS did not have a        We recommend that FMS management:\n                Management        management-approved list of all\n                                  privileged programs that reside on the       1.   Develop a complete authoritative information system inventory of all\n                                  mainframe. Additionally, FMS did not              management-approved privileged programs, and confirm that existing\n                                  implement an automatic tool to alert              privileged programs are safe and required for successful operation of the\n                                  management when new privileged                    mainframe.\n                                  programs were added to the mainframe\n                                  to determine if the addition was             2.   Develop and implement formal change control procedures to monitor\n                                  approved, appropriate, and safe.                  privileged programs to confirm that they were safe, approved by\n                                                                                    management, and had not been altered without management\xe2\x80\x99s approval.\n                                  FMS closed this prior year finding in FY\n                                  2012, however, our testing determined        3.   Implement an automated mechanism to track the inventory of existing\n                                  the finding had not been resolved and             programs and notify appropriate officials when new privileged programs\n                                  had to be reissued. We repeated the               are added or existing privileged programs are modified.\n\n\n\n                                                                                                                                                      Page 70\n\x0cSummary of Other IT Findings from Treasury Financial Statement Audits                                                                          Appendix VI\n\n    Finding     NIST 800-53                     Condition                                                   Recommendation\n    Number     Control Family\n                                 following recommendations made in our\n                                 FY 2011 report.\n\n3              Risk Assessment   The FMS Entity-wide IT Standards             We recommend that FMS management:\n                                 prescribes that it is management\xe2\x80\x99s\n                                 responsibility to monitor the                1.   Formally document the vulnerability scanning processes for the Fiscal\n                                 effectiveness of its security program over        Service organization and communicate the processes to affected field\n                                 the system environment, which includes            personnel.\n                                 the UNIX Mid-Tier platform maintained\n                                 at the BPD; however, we noted a lack of      2.   Maintain a complete listing of hosts and IP addresses for production\n                                 evidence supporting FMS\xe2\x80\x99s                         environment and document any changes to this listing, and retain enough\n                                 responsibility of threat management.              supporting documentation to confirm the accuracy of completed\n                                 Moreover, FMS did not document the                vulnerability scans.\n                                 effectiveness of their monitoring\n                                 program by not being able to confirm         3.   Strengthen the threat management process to require the sharing of\n                                 whether:                                          information obtained from the vulnerability scanning process and security\n                                                                                   control assessments with designated personnel through the organization to\n                                 1. The actual Internet Protocol (IP)              help eliminate similar vulnerabilities in other information systems (i.e.,\n                                    addresses in production at the time            systemic weaknesses).\n                                    of the vulnerability scans that were\n                                    run from October 1, 2011 to June 30,\n                                    2012 were valid;\n                                 2. Any vulnerabilities were identified;\n                                    and\n                                 3. Any corresponding corrective\n                                    actions had been implemented.\n\n4              Security          FMS needs to improve its enforcement         We recommend that FMS management:\n               Assessment and    over coordinating with BPD for the\n               Authorization     orderly transfer of POA&M items              1.   Strengthen its enforcement over the transfer of POA&M items across the\n                                 relating to UNIX Mid-Tier platform-               organizations to ensure timely remediation of weaknesses.\n                                 specific weaknesses affecting FMS\n                                 applications, per the FMS Transferring       2.   Enhance the FMS Transferring POA&M Items Standard to require the\n                                 POA&M Items Standard. We noted that               orderly transfer of POA&Ms items across the organizations within\n                                 several platform-specific weakness that           specified time frames.\n                                 were initially tracked in the POA&Ms\n\n\n\n                                                                                                                                                    Page 71\n\x0cSummary of Other IT Findings from Treasury Financial Statement Audits                                                                         Appendix VI\n\n    Finding     NIST 800-53                    Condition                                                  Recommendation\n    Number     Control Family\n                                for FMS applications were not\n                                transferred in a timely manner to BPD\n                                for inclusion in the UNIX Mid-Tier\n                                POA&M, thereby not enabling the\n                                monitoring controls necessary to ensure\n                                prompt remediation.\n\n5              Contingency      For a financial system application that     We recommend that FMS management:\n               Planning         resides on the mid-tier Unix\n                                environment, FMS management was             1. Update existing application and Mid-Tier UNIX backup procedures and\n                                unable to define formally who was              system security plans to clarify roles and responsibilities with regards to\n                                responsible for the backup testing             the semi-annual testing of the financial system application backups to\n                                process. FMS management staff                  comply with the Fiscal Services BLSR, Treasury Directive Publication\n                                informed us that BPD performs backup           85-01, and NIST SP 800-53.\n                                test procedures for the FMS application.\n                                Alternatively, BPD support personnel        2. Communicate the updates to the financial system application and Mid-\n                                informed us that BPD does not perform          Tier UNIX backup procedures and SSPs to the financial system\n                                backup tests unless FMS management             application management staff and BPD support personnel.\n                                instructs BPD to do so. We determined\n                                that backup tests were not performed        3. Test backups for the financial system application production servers semi-\n                                consistently by either BPD or FMS              annually as prescribed the Fiscal Services BLSR and the Treasury\n                                management on a semi-annual basis as           Directive Publication 85-01.\n                                required by the Fiscal Service Baseline\n                                Security Requirements (BLSR) and the\n                                Treasury Directive Publication 85-01. In\n                                addition, FMS or BPD could only\n                                provide to us supporting documentation\n                                evidencing backup testing of the\n                                application server. No evidence was\n                                available to demonstrate backup testing\n                                of the database and web servers.\n\n6              Contractor       FMS does not monitor IT security            We recommend that FMS management:\n               Systems          control compliance of its service\n                                providers and has not addressed the risks   1.   Document the following in the FMS system SSPs: (a) the inherited IT\n                                or implemented compensating controls.            security controls that are being performed by the service providers and (b)\n\n\n\n                                                                                                                                                   Page 72\n\x0cSummary of Other IT Findings from Treasury Financial Statement Audits                                                                          Appendix VI\n\n    Finding     NIST 800-53                    Condition                                                   Recommendation\n    Number     Control Family\n                                                                                 the FMS\xe2\x80\x99s monitoring controls to determine that these controls are\n                                Specifically, we noted that FMS has not          operating effectively.\n                                implemented a process to obtain\n                                assurance that inherited IT security        2.   Develop an enforcement process to obtain assurance that the IT security\n                                controls at the service providers are            controls inherited by the service providers are operating effectively.\n                                operating effectively, as prescribed by\n                                NIST SP 800-53, Rev. 3. We noted that\n                                system security plans (SSPs) or\n                                additional FMS procedures do not\n                                formally establish the security roles and\n                                responsibilities between FMS and its\n                                service providers for inherited controls\n                                and how FMS should monitor the\n                                operating effectiveness of these service\n                                providers\xe2\x80\x99 controls.\n\n7              Configuration    While performing audit test work over       We recommend that Federal Financing Bank (FFB) management strengthen\n               Management       borrowings as of June 30, 2012, we          change control procedures for the system and related report modifications.\n                                noted discrepancies in the cash receipt     These procedures should conform to existing standards and include the\n                                amounts included in the cash receipt        following:\n                                report. This was determined to be due to\n                                a change request to modify the cash         1.   Implement policy and procedures to provide adequate supervision, by\n                                receipts report.                                 FFB IT staff, when contracting group develops requirements, testing,\n                                                                                 acceptance, and subsequent implementation initiatives prior to moving\n                                Specifically, we determined that while           into production.\n                                FFB management tests and approves\n                                change requests prior to implementing       2.   Strengthen change request form to include all requirements, scope of\n                                system changes, their change                     change request including time period of change, life cycle of\n                                management procedures were not                   implementation and end user testing to ensure all change requests are\n                                comprehensive enough to ensure proper            properly tested.\n                                testing occurs prior to and subsequent to\n                                development and production. Due to the      3.   Ensure the that the proper level and sufficiency of testing are appropriate\n                                lack of regression testing, management           to specific change requirements; that change requests are appropriately\n                                was unable to detect the effect of the           evaluated, authorized, and monitored to ensure that they achieve the\n                                system change in production.                     users\xe2\x80\x99 requirements and do not negatively impact existing processing.\n                                Additionally, an FFB IT Staff member\n\n\n\n                                                                                                                                                    Page 73\n\x0cSummary of Other IT Findings from Treasury Financial Statement Audits                         Appendix VI\n\n  Finding       NIST 800-53                    Condition                     Recommendation\n  Number       Control Family\n                                was not assigned to review in detail the\n                                change requests of development or\n                                production projects, created by the\n                                contracting firm, prior to the accountants\n                                performing their tests and approval of the\n                                changes.\n\n\n\n\n                                                                                                 Page 74\n\x0cGlossary of Terms                                                            Appendix VII\n\nAPPENDIX VII \xe2\x80\x93 GLOSSARY OF TERMS\n\n       Acronym                                         Definition\nAC                  Access Control\nACIOCS              Associate Chief Information Officer for Cyber Security\nAU                  Audit and Accountability\nBEP                 Bureau of Engraving and Printing\nBLSR                Fiscal Service Baseline Services Requirements\nBPD                 Bureau of the Public Debt\nCA                  Security Assessment and Authorization\nCAT                 Category\nC&A                 Certification and Accreditation\nCDFI                Community Development Financial Institution\nCIO                 Chief Information Officer\nCIP                 Critical Infrastructure Protection\nCISO                Chief Information Security Officer\nCM                  Configuration Management\nCP                  Contingency Planning\nCSIRC               Computer Security Incident Response Center\nCSS                 Cyber Security Sub-Council\nDHS                 Department of Homeland Security\nDO                  Departmental Offices\nFDCC                Federal Desktop Core Configuration\nFFB                 Federal Financing Bank\nFinCEN              Financial Crimes Enforcement Network\nFIPS                Federal Information Processing Standards\nFISM                Federal Information Security Memorandum\nFISMA               Federal Information Security Management Act\nFMS                 Financial Management Service\nFY                  Fiscal Year\nGAGAS               Generally Accepted Government Auditing Standards\nIA                  Identification and Authentication\nIG                  Inspector General\nIP                  Internet Protocol\nIRS                 Internal Revenue Service\nISSO                Information System Security Officer\nIT                  Information Technology\nKPMG                KPMG LLP\nMint                United States Mint\nNIST                National Institute of Standards and Technology\nOCC                 Office of the Comptroller of the Currency\n\n\n\n                                                                                 Page 75\n\x0cGlossary of Terms                                                                Appendix VII\n\n      Acronym                                        Definition\nOCIO                Office of the Chief Information Officer\nOIG                 Office of Inspector General\nOMB                 Office of Management and Budget\nOTS                 Office of Thrift Supervision\nPL                  Planning\nPOA&M               Plan of Action and Milestones\nRA                  Risk Assessment\nRev.                Revision\nSI                  System and Information Integrity\nSIGTARP             Special Inspector General for the Troubled Asset Relief Program\nSP                  Special Publication\nSSP                 System Security Plan\nTAF                 Trusted Agent FISMA\nTARP                Troubled Asset Relief Program\nTCSIRC              Treasury Computer Security Incident Response Capability\nTD P                Treasury Directive Publication\nTIGTA               Treasury Inspector General for Tax Administration\nTTB                 Alcohol and Tobacco Tax and Trade Bureau\nUS-CERT             United States Computer Emergency Readiness Team\n\n\n\n\n                                                                                      Page 76\n\x0c           ATTACHMENT 2\n\n   Treasury Inspector General for Tax\nAdministration\xe2\x80\x93Federal Information Security\n  Management Act Report for Fiscal Year\n    2012, (Audit No. 2012-20-114),\n           September 28, 2012\n\x0c    THIS PAGE INTENTIONALLY LEFT BLANK\n\xc2\xa0\n\x0cTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    Treasury Inspector General for Tax\n                Administration \xe2\x80\x93 Federal Information Security\n                Management Act Report for Fiscal Year 2012\n\n\n\n                                      September 28, 2012\n\n                              Reference Number: 2012-20-114\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.tigta.gov\n\x0c                                                  HIGHLIGHTS\n\n\nTREASURY INSPECTOR GENERAL FOR                        eight program areas met the level of\nTAX ADMINISTRATION \xe2\x80\x93 FEDERAL                          performance specified by the Department of\nINFORMATION SECURITY                                  Homeland Security\xe2\x80\x99s Fiscal Year 2012 Inspector\nMANAGEMENT ACT REPORT FOR                             General FISMA Reporting Metrics:\nFISCAL YEAR 2012                                          \xef\x82\xb7   Continuous monitoring management.\n                                                          \xef\x82\xb7   Incident response and reporting.\nHighlights                                                \xef\x82\xb7   Risk management.\nReport issued on September 28, 2012                       \xef\x82\xb7   Plan of action and milestones.\n\nHighlights of Report Number: 2012-20-114 to               \xef\x82\xb7   Remote access management.\nthe Department of the Treasury, Office of the             \xef\x82\xb7   Contingency planning.\nInspector General, Assistant Inspector General\nfor Audit.                                                \xef\x82\xb7   Contractor systems.\nIMPACT ON TAXPAYERS                                       \xef\x82\xb7   Security capital planning.\nThe IRS collects and maintains a significant          However, TIGTA determined that the following\namount of personal and financial information on       program areas did not meet the level of\neach taxpayer. The IRS also relies extensively        performance specified by the Department of\non computerized systems to support its                Homeland Security\xe2\x80\x99s Fiscal Year 2012 Inspector\nresponsibilities in collecting taxes, processing      General FISMA Reporting Metrics as a result of\ntax returns, and enforcing the Federal tax laws.      specific program attributes that were missing or\nAs custodians of taxpayer information, the IRS        other conditions identified that reduced program\nhas an obligation to protect the confidentiality of   effectiveness:\nthis sensitive information against unauthorized\naccess or loss. Otherwise, taxpayers could be             \xef\x82\xb7   Configuration management.\nexposed to invasion of privacy and financial loss         \xef\x82\xb7   Identity and access management.\nor damage from identity theft or other financial\ncrimes.                                                   \xef\x82\xb7   Security training.\n\nWHY TIGTA DID THE AUDIT                               WHAT TIGTA RECOMMENDED\nThe Federal Information Security Management           TIGTA does not include recommendations as\nAct (FISMA) was enacted to strengthen the             part of its annual FISMA evaluation and reports\nsecurity of information and systems within            only on the level of performance achieved by the\nFederal agencies. As part of this legislation, the    IRS using the guidelines issued by the\nOffices of Inspectors General are required to         Department of Homeland Security for the\nperform an annual independent evaluation of           applicable FISMA evaluation period.\neach Federal agency\xe2\x80\x99s information security\nprograms and practices. This report reflects\nTIGTA\xe2\x80\x99s independent evaluation of the status of\nthe IRS\xe2\x80\x99s information security program for Fiscal\nYear 2012.\nWHAT TIGTA FOUND\nBased on our Fiscal Year 2012 FISMA\nevaluation, TIGTA found that the IRS\xe2\x80\x99s\ninformation security program was generally\ncompliant with the FISMA requirements.\nSpecifically, TIGTA determined that the following\n\x0c                                                   DEPARTMENT OF THE TREASURY\n                                                         WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                 September 28, 2012\n\n\n MEMORANDUM FOR ASSISTANT INSPECTOR GENERAL FOR AUDIT\n                OFFICE OF THE INSPECTOR GENERAL\n                DEPARTMENT OF THE TREASURY\n\n\n FROM:                           Michael E. McKenney\n                                 Acting Deputy Inspector General for Audit\n\n SUBJECT:                        Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                                 Information Security Management Act Report for Fiscal Year 2012\n                                 (Audit # 201220001)\n\n This report presents the results of the Treasury Inspector General for Tax Administration\xe2\x80\x99s\n Federal Information Security Management Act1 evaluation for Fiscal Year 2012. The Act\n requires the Offices of Inspectors General to perform an annual independent evaluation of each\n Federal agency\xe2\x80\x99s information security program and practices. This report reflects our\n independent evaluation of the Internal Revenue Service\xe2\x80\x99s (IRS) information security program\n and practices for the period under review.\n The report was forwarded to the Treasury Inspector General for consolidation into a report issued\n to the Department of the Treasury Chief Information Officer. Copies of this report are also being\n sent to the IRS managers affected by the report results.\n Please contact me at (202) 622-6510 if you have questions or Alan R. Duncan, Assistant\n Inspector General for Audit (Security and Information Technology Services), at (202) 622-5894.\n\n\n\n\n 1\n     Title III of the E-Government Act of 2002, Pub. L. No. 107-374, 116 Stat. 2899.\n\x0c                      Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                   Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 2\n          The Internal Revenue Service\xe2\x80\x99s Information Security Program\n          Generally Complies With the Federal Information Security\n          Management Act, but Improvements Are Needed ....................................... Page 2\n\nAppendices\n          Appendix I \xe2\x80\x93 Fiscal Year 2012 Reporting Metrics ....................................... Page 16\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 30\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 31\n          Appendix IV \xe2\x80\x93 Treasury Inspector General for Tax Administration\n          Information Technology Security-Related Reports Issued During the\n          Fiscal Year 2012 Evaluation Period ............................................................. Page 32\n          Appendix V \xe2\x80\x93 Glossary of Terms ................................................................. Page 33\n\x0c             Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n          Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\n                            Abbreviations\n\nAP                   Administrative Priority\nBase                 Baseline Question\nCIO                  Chief Information Officer\nCISO                 Chief Information Security Officer\nCM                   Continuous Monitoring\nCMWG                 Continuous Monitoring Working Group\nDAA                  Designated Accrediting Authority\nDHS                  Department of Homeland Security\nDMZ                  Demilitarized Zone\nECMS                 Enterprise Configuration Management System\nFCD1                 Federal Continuity Directive 1\nFDCC                 Federal Desktop Core Configuration\nFISMA                Federal Information Security Management Act\nFY                   Fiscal Year\nGAO                  Government Accountability Office\nGSS                  General Support System\nHSPD-12              Homeland Security Presidential Directive-12\nIP                   Internet Protocol\nIRS                  Internal Revenue Service\nIT                   Information Technology\nKFM                  Key FISMA Metric\nMOU                  Memorandum of Understanding\n\x0c             Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n          Information Security Management Act Report for Fiscal Year 2012\n\n\n\nNIST                 National Institute of Standards and Technology\nOIG                  Office of the Inspector General\nOMB                  Office of Management and Budget\nPIV                  Personal Identity Verification\nPOA&M                Plan of Action and Milestones\nSCAP                 Security Content Automation Protocol\nSP                   Special Publication\nTIGTA                Treasury Inspector General for Tax Administration\nUS-CERT              United States Computer Emergency Response Team\nUSG                  U.S. Government\nUSGCB                United States Government Configuration Baseline\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\n                                           Background\n\nThe Internal Revenue Service (IRS) collects and maintains a significant amount of personal and\nfinancial information on each taxpayer. The IRS also relies extensively on computerized\nsystems to support its responsibilities in collecting taxes, processing tax returns, and enforcing\nFederal tax laws. As custodians of taxpayer information, the IRS has an obligation to protect the\nconfidentiality of this sensitive information against unauthorized access or loss. Otherwise,\ntaxpayers could be exposed to invasion of privacy and financial loss or damage from identity\ntheft or other financial crimes.\nThe Federal Information Security Management Act (FISMA) of 20021 was enacted to strengthen\nthe security of information and systems within Federal agencies. Under the FISMA, agency\nheads are responsible for providing information security protections commensurate with the risk\nand magnitude of harm resulting from the unauthorized access, use, disclosure, disruption,\nmodification, or destruction of information and information systems. Agency heads are also\nresponsible for complying with the requirements of the FISMA, related Office of Management\nand Budget (OMB) policies, and National Institute of Standards and Technology (NIST)\nprocedures, standards, and guidelines.\nAs part of this legislation, each Federal Government agency is required to report annually to the\nOMB on the adequacy and effectiveness of its information security program and practices and\ncompliance with the FISMA. In addition, the FISMA requires the agencies to have an annual\nindependent evaluation of their information security programs and practices performed by the\nagency Inspector General or an independent external auditor as determined by the Inspector\nGeneral.2 The OMB uses the information from the agencies and independent evaluations in its\nFISMA oversight capacity to assess agency-specific and Federal Government-wide security\nperformance, develop its annual security report to Congress, and assist in improving and\nmaintaining adequate agency security performance.\nWe based our evaluation of the IRS on the Department of Homeland Security\xe2\x80\x99s (DHS) Fiscal\nYear (FY) 2012 Inspector General FISMA Reporting Metrics issued on March 6, 2012. These\nreporting metrics specified the security program areas for the Inspectors General to evaluate and\nlisted specific attributes that each security program area should include, as shown in Appendix I.\nMajor contributors to this report are listed in Appendix II.\n\n\n\n\n1\n Title III of the E-Government Act of 2002, Pub. L. No. 107-374, 116 Stat. 2899.\n2\n The FISMA evaluation period for the Department of the Treasury is July 1, 2011, through June 30, 2012. All\nsubsequent references to 2012 refer to the FISMA evaluation period.\n                                                                                                        Page 1\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\n                                Results of Review\n\nThe Internal Revenue Service\xe2\x80\x99s Information Security Program\nGenerally Complies With the Federal Information Security\nManagement Act, but Improvements Are Needed\nThe DHS FY 2012 Inspector General FISMA Reporting Metrics specified 11 information\nsecurity program areas and a total of 96 attributes within the 11 areas for the Inspectors General\nto evaluate and determine whether agencies had established and maintained an information\nsecurity program that was generally consistent with the NIST and OMB\xe2\x80\x99s FISMA requirements.\nThe 11 information security program areas are as follows:\n   \xef\x82\xb7   Continuous monitoring management.\n   \xef\x82\xb7   Configuration management.\n   \xef\x82\xb7   Identity and access management.\n   \xef\x82\xb7   Incident response and reporting.\n   \xef\x82\xb7   Risk management.\n   \xef\x82\xb7   Security training.\n   \xef\x82\xb7   Plan of action and milestones.\n   \xef\x82\xb7   Remote access management.\n   \xef\x82\xb7   Contingency planning.\n   \xef\x82\xb7   Contractor systems.\n   \xef\x82\xb7   Security capital planning.\nTo complete our FISMA evaluation, we reviewed a representative sample of 10 major IRS\ninformation systems. For each system in the sample, we assessed the quality of the security\nassessment and authorization process, the annual testing of controls for continuous monitoring,\nthe testing of information technology contingency plans, and the quality of the plan of action and\nmilestones process. In addition, we evaluated the IRS\xe2\x80\x99s processes over configuration\nmanagement, identity and access management, incident response and reporting, security training,\nremote access management, contractor systems, and security capital planning. During the\nFY 2012 FISMA evaluation period, we also completed nine audits, as shown in Appendix IV,\nwhich evaluated various aspects of information security at the IRS. We considered the results of\nthese audits in our evaluation, as well as results from ongoing audits for which draft reports were\nissued to the IRS by August 10, 2012.\n\n                                                                                            Page 2\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\nBased on our FY 2012 FISMA evaluation, we determined that the IRS\xe2\x80\x99s information security\nprogram was compliant with the FISMA requirements and met the level of performance for eight\nof the 11 program areas as specified by the DHS\xe2\x80\x99s FY 2012 Inspector General FISMA Reporting\nMetrics. However, we also noted that improvements were needed in the remaining three\nprogram areas. We determined that these three program areas did not meet the level of\nperformance specified by the DHS\xe2\x80\x99s FY 2012 Inspector General FISMA Reporting Metrics as a\nresult of specific program attributes that were missing or other conditions that we identified\nwhich reduced program effectiveness. The three areas needing improvement are as follows:\n   \xef\x82\xb7   Configuration management.\n   \xef\x82\xb7   Identity and access management.\n   \xef\x82\xb7   Security training.\n\nConfiguration Management\nConfiguration management comprises a collection of activities focused on establishing and\nmaintaining the integrity of products and systems through control of the processes for\ninitializing, changing, and monitoring the configurations of those products and systems.\nSecurity-focused configuration management is the management and control of secure\nconfigurations for an information system to enable security and facilitate the management of\nrisk. Effective configuration management of information systems requires the integration of the\nmanagement of secure configurations into the organizational configuration management process\nor processes.\nIn order to secure both software and hardware, agencies must develop and implement standard\nconfiguration baselines that prevent or minimize exploitable system vulnerabilities. The OMB\nrequires all Windows 7, XP, and Vista workstations to conform to the U.S. Government\nConfiguration Baseline. Furthermore, the NIST has created a repository of secure baselines for a\nwide variety of operating systems and devices. Agencies must also develop and implement\nsufficient patch management processes, which is a component of configuration management.\nAny significant delays in patching software with critical vulnerabilities provide ample\nopportunity for persistent attackers to gain control over the vulnerable computers and get access\nto the sensitive data they may contain.\nThe IRS has not fully implemented the following seven configuration management attributes\nspecified by the DHS metrics:\n    2.1.3. Assessing for compliance with baseline configurations.\n    2.1.5. For Windows-based components, Federal Desktop Core Configuration (FDCC)/U.S.\n           Government Configuration Baseline (USGCB) secure configuration settings fully\n           implemented and any deviations from FDCC/USGCB baseline settings fully\n           documented.\n\n                                                                                          Page 3\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                 Information Security Management Act Report for Fiscal Year 2012\n\n\n\n     2.1.6. Documented proposed or actual changes to hardware and software configurations.\n     2.1.7. Process for timely and secure installation of software patches.\n     2.1.8. Software assessing (scanning) capabilities are fully implemented.\n     2.1.9. Configuration-related vulnerabilities, including scan findings, have been remediated\n            in a timely manner, as specified in organization policy or standards.\n    2.1.10. Patch management process is fully developed, as specified in organization policy or\n            standards.\n2.1.3. Assessing for compliance with baseline configurations.\nThe IRS is still in the process of implementing tools compliant with the Security Content\nAutomation Protocol (SCAP)3 to perform security configuration assessments for Windows and\nUNIX systems. Agencies are required to use SCAP-validated tools, as specified by the NIST, to\ncontinuously monitor the security configurations of their information technology assets as part of\ncompliance with the FISMA.\nIn April 2008, the IRS formally kicked off an initiative to implement the Security Compliance\nPosture Monitoring and Reporting tool, an enterprise tool that would utilize the NIST-defined\nprotocol. When in production, the Security Compliance Posture Monitoring and Reporting tool\nwould provide the IRS with the ability to monitor, measure, and manage FISMA security\ncompliance of its Windows and UNIX servers enterprise-wide. Also, it would allow the IRS to\nretire the Windows and UNIX policy checker programs, which are not SCAP-compliant.\nHowever, the IRS has not yet rolled out the Security Compliance Posture Monitoring and\nReporting tool.\nAlso, in September 2011, the Treasury Inspector General for Tax Administration (TIGTA)\nreported4 that automated security configuration scans of IRS mainframe databases were not\nconducted. The Internal Revenue Manual required monthly automated security configuration\nscans of all operating and database systems. However, the mainframe policy checker does not\ntest configuration compliance for databases that reside on mainframes. The IRS agreed to\nimplement automated security configuration scanning on mainframe databases by\nMarch 1, 2013.\n\n\n3\n  The SCAP is a suite of specifications that standardize the format and nomenclature by which security software\nproducts communicate software flaw and security configuration information. SCAP is designed to organize,\nexpress, and measure security-related information in standardized ways, as well as related reference data, such as\nidentifiers for post-compilation software flaws and security configuration issues. SCAP can be used to maintain the\nsecurity of enterprise systems, such as automatically verifying the installation of patches, checking system security\nconfiguration settings, and examining systems for signs of compromise.\n4\n  TIGTA Ref. No. 2011-20-099, The Mainframe Databases Reviewed Met Security Requirements; However,\nAutomated Security Scans Were Not Performed (Sept. 2011).\n                                                                                                             Page 4\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\nThe IRS has deployed a SCAP-compliant tool (called the SCAP Compliance Checker) for\nmonitoring Federal Desktop Core Configuration compliance on workstations. However, since\nFebruary 2010, the IRS has been in the process of implementing additional tools for monitoring\nworkstation compliance, called the Treasury Enhanced Security Initiative. The IRS believes the\nTreasury Enhanced Security Initiative is needed because of the features it has that the SCAP\nCompliance Checker does not have, including its ability to:\n   \xef\x82\xb7   Discover all assets on the IRS network.\n   \xef\x82\xb7   Identify rogue computers.\n   \xef\x82\xb7   Monitor administrative access privileges.\n   \xef\x82\xb7   Identify noncompliant security configurations for specific workstations.\n   \xef\x82\xb7   Prioritize highest risk systems for timely remediation.\n   \xef\x82\xb7   Automate remediation of some misconfigurations.\nHowever, the Treasury Enhanced Security Initiative has experienced several delays due to the\nneed for infrastructure upgrades and additional server resources, the IRS placing higher priorities\non development of other systems, and filing season moratoriums.\n2.1.5. For Windows-based components, FDCC/USGCB secure configuration settings fully\nimplemented and any deviations from FDCC/USGCB baseline settings fully documented.\nThe IRS has not yet fully documented Windows 7 FDCC/USGCB deviations. The User and\nNetwork Services organization indicated that it is currently working with stakeholders to identify\nand document all Windows 7 settings that do not comply with the Internal Revenue Manual or\nUSGCB.\n2.1.6. Documented proposed or actual changes to hardware and software configurations.\nThe IRS had not yet fully implemented configuration and change management controls to ensure\nthat proposed or actual changes to hardware and software configurations are documented.\nDuring FY 2012, the Enterprise Services organization was in the process of implementing the\nEnterprise Configuration Management System (ECMS) to provide an enterprise solution for\nconfiguration and change management. The goal of the ECMS is to provide the IRS the\ncapability to automate the configuration management process, enhance and improve the current\nchange management process, provide a platform for the consolidation of change boards, provide\na detailed change analysis capability, and support the adoption of robust configuration\nmanagement and validation.\nThe ECMS briefing from the Enterprise Services Configuration and Change Management office\ncites a number of issues with IRS configuration and change management processes, including:\n\n\n                                                                                            Page 5\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n    \xef\x82\xb7   A number of organizational change management processes are in place, without a clear\n        understanding on how they link back to the \xe2\x80\x9cumbrella\xe2\x80\x9d configuration and change\n        management standards.\n            o Duplicative steps exist in many of the change management processes.\n            o Inconsistent integration/coordination exists across processes.\n    \xef\x82\xb7   There is limited enforcement of configuration and change management standards to date.\n    \xef\x82\xb7   Multiple configuration control boards are in place, without a clear definition of what the\n        hand-offs are between them.\n    \xef\x82\xb7   Configuration items do not always have an owner.\n    \xef\x82\xb7   No clear process hand-offs are defined between configuration management, change\n        management, release management, and other service management processes.\n    \xef\x82\xb7   Organizations do not always have a clear understanding of Configuration and Change\n        Management office staff roles.\n    \xef\x82\xb7   Many organizations do not have a clear understanding of what configuration and change\n        management are and what steps they should be following to perform the related\n        processes.\n    \xef\x82\xb7   Configuration and change management standards applied to organizationally owned tools\n        are sometimes \xe2\x80\x9clost in translation.\xe2\x80\x9d\n    \xef\x82\xb7   The level of effort required across varied tools and procedures involved in performing\n        configuration management activities is not clear, making it difficult to assign resources.\xc2\xa0\nIn July 2012, the Enterprise Services organization deployed the initial release of the ECMS. The\nECMS includes a configuration item discovery tool, called the Discovery and Dependency\nMapping Advanced tool, for the purpose of establishing a central repository of configuration\nitems for which changes to configuration settings will need to be managed. The Enterprise\nServices organization plans for the full implementation of the ECMS to occur in FY 2014.\n2.1.7. Process for timely and secure installation of software patches.\nDuring the FY 2012 FISMA evaluation period, the TIGTA concluded fieldwork on an audit to\nevaluate the IRS\xe2\x80\x99s enterprise-wide patch management process.5 The TIGTA identified that\ncritical patches continue to be missing or are installed in an untimely manner. The IRS\xe2\x80\x99s own\npatch monitoring reports continue to report unpatched or untimely patched computers. For\nexample, an IRS-wide patch monitoring report for Windows servers, called the Associate Chief\n\n5\n TIGTA, Ref. No. 2012-20-012, An Enterprise Approach Is Needed to Address the Security Risk of Unpatched\nComputers (Sep. 2012).\n                                                                                                     Page 6\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\nInformation Officer Monthly Critical Patch Report, showed the IRS\xe2\x80\x99s overall patch compliance\nrate for critical patches averaged 88 percent in March 2012, ranging from a low of 63 percent to\na high of 88 percent for the six-month period of October 2011 to March 2012. The March 2012\nreport showed that 7,329 potential vulnerabilities remain on IRS servers because 23 critical\npatches had not been installed on servers that need them; some of these patches had been\nreleased as far back as April 2011. These vulnerabilities could potentially be exploited to gain\nunauthorized access to information, disrupt operations, or launch attacks against other systems.\nIn addition, the IRS informed us that patching is still manual for the majority of its UNIX\noperating systems and is not in accordance with patch frequencies required by the Internal\nRevenue Manual. The Enterprise Operations organization is currently testing a process for\nautomating patching on its UNIX servers.\nIRS patch management policy did not provide clear expectations for when patches must be\ninstalled. In addition, the IRS has no mechanism to enforce timely patching or to hold system\nowners accountable for ensuring that their systems are timely patched or that they formally\naccept the risk of not patching systems timely. By not installing security patches in a timely\nfashion, the IRS increases the risk that known vulnerabilities in its systems may be exploited.\nIn March 2012, the Government Accountability Office (GAO) also reported6 that the IRS did not\nalways apply critical patches or ensure versions of its operating system were still supported by\nthe vendor.\n2.1.8. Software assessing (scanning) capabilities are fully implemented.\nThe IRS\xe2\x80\x99s software assessing (scanning) capabilities are not yet fully implemented. The IRS\nOrganizational Common Controls Security Plan, Version 1, dated June 28, 2012, stated that the\nrequired vulnerability scanning control was not in place at the IRS organizational level and that\nthe IRS Cybersecurity organization is still in the process of coordinating with information system\nowners to implement vulnerability scanning enterprise-wide. It also stated that, for vulnerability\nscans the IRS did conduct, analysis of the scans were not being performed by the system owners.\nIn addition, it stated that the IRS has not yet deployed an automated mechanism to detect the\npresence of unauthorized software on IRS information systems.\nIn June 2012, the TIGTA reported7 that the IRS had not implemented or enforced\nenterprise-wide procedures for monitoring and remediating weaknesses reported by nCircle\nscans. These scans help to identify what details about the information system are discoverable\nby adversaries and provide an associated risk level/score. During FY 2012, the IRS\nCybersecurity organization was in the process of developing enterprise-wide standard operating\n\n\n6\n  GAO, GAO-12-393, IRS Needs to Further Enhance Internal Control Over Financial Reporting and Taxpayer\nData (Mar. 2012).\n7\n  TIGTA, Ref. No. 2012-20-063, Enterprise-Level Oversight Is Needed to Ensure Adherence to Windows Server\nSecurity Policies (June 2012).\n                                                                                                     Page 7\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\nprocedures for reviewing and analyzing the results of vulnerability scans and educating system\nowners on how to prioritize and resolve the identified weaknesses.\nIn September 2011, the TIGTA reported8 that four individuals had installed and used personal\nunauthorized wireless devices on their laptops to connect to the IRS network. The TIGTA\nrecommended that the IRS implement automated nationwide network scans for unauthorized\nwireless activity, devices, and software and improve processes to handle incidents of\nnoncompliance with IRS security policy so that when unauthorized wireless activity is identified,\nsubsequent investigations and disciplinary actions are effective. The IRS plans to complete the\ncorrective action by September 28, 2012.\nAdditionally, our review of 10 sample systems\xe2\x80\x99 System Security Plans revealed that vulnerability\nscans were not being conducted in accordance with the IRS\xe2\x80\x99s defined frequency and process for\nthe three General Support System\xe2\x80\x99s (GSS) in our sample.\n2.1.9. Configuration-related vulnerabilities, including scan findings, have been remediated\nin a timely manner, as specified in organization policy or standards.\nIn June 2012, the TIGTA reported9 that monthly scanning results were not consistently being\nused to correct improper settings on Windows servers in a timely manner; rather, security\nvulnerabilities of high, medium, and low risk levels were repeatedly reported on Windows Policy\nChecker reports for two or three consecutive months. During FY 2012, the Cybersecurity\norganization issued standard operating procedures for the monitoring and remediation of\nweaknesses reported by the Windows server configuration scans to all IRS staff administering\nWindows servers. The document stated that the Cybersecurity organization staff will work with\nthe system administrators, application owners, and project offices to maintain a 100-percent\ncompliance level on all Windows servers across all IRS organizations.\n2.1.10. Patch management process is fully developed, as specified in organization policy or\nstandards.\nDuring the FY 2012 FISMA evaluation period, the TIGTA concluded fieldwork on an audit to\nevaluate the IRS\xe2\x80\x99s enterprise-wide patch management process.10 The TIGTA identified that,\nalthough IRS policy requires the IRS to establish an enterprise-level group with responsibility for\npatch management, no enterprise-level group exists. Due to the lack of enterprise-level oversight\nand leadership, the IRS has not yet implemented key elements of its patch management policies\nand procedures that are needed to ensure all IRS systems are patched timely and operating\n\n\n8\n  TIGTA, Ref. No. 2011-20-101, Security Controls Over Wireless Technology Were Generally in Place; However,\nFurther Actions Can Improve Security (Sept. 2011).\n9\n  TIGTA, Ref. No. 2012-20-063, Enterprise-Level Oversight Is Needed to Ensure Adherence to Windows Server\nSecurity Policies (June 2012).\n10\n   TIGTA, Ref. No. 2012-20-012, An Enterprise Approach Is Needed to Address the Security Risk of Unpatched\nComputers (Sep. 2012).\n                                                                                                     Page 8\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\nsecurely. Specifically, the IRS has not:\n   \xef\x82\xb7   Completed the implementation of an accurate and complete inventory of its information\n       technology assets, which is critical for ensuring that patches are identified and applied\n       timely for all types of operating systems and software used within its environment.\n   \xef\x82\xb7   Implemented patch policy and monitoring processes to ensure patches are applied timely\n       enterprise-wide.\n   \xef\x82\xb7   Implemented controls to ensure that unsupported operating systems are not putting the\n       IRS at risk.\nIRS processes to monitor the installation of required patches need improvement. The IRS\xe2\x80\x99s\ncurrent monitoring processes are not sufficient to ensure that vulnerabilities resulting from\nunpatched systems are successfully and timely remediated. The IRS depends on the various IRS\norganizations that manage their own computers to frequently self-report patching data from their\norganization-level patch monitoring reports. This effort is labor intensive and results in\nincomplete and unverified patch data. For example, in March 2012, the IRS Information\nTechnology organization reported that it had not received percentage data for 14 consecutive\nmonths from non-Information Technology managed Windows workstations needing critical\npatches, which it needed to track patch metrics in its Information Technology Internal\nDashboard. Further, the IRS had not established patch performance metrics in terms of setting\ncompliance rate goals and measuring them on a monthly basis to ensure IRS organizations are\ncomplying with security patch policy.\n2.2. Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\nconfiguration management program that was not noted in the questions above.\nTo achieve FISMA-compliant configuration management, the IRS is in the process of\nimplementing a number of tools to automate tasks, that when done manually, are extremely\ntime-consuming and error-prone. However, we are concerned the IRS is not ensuring that it is\navoiding tool redundancy and, therefore, excess cost or that it will be making the most efficient\nuse of the data collections.\nTools or initiatives that the IRS already implemented or are in progress to improve its security\nposture include Business DNA (asset discovery), nCircle (vulnerability scanning), Security\nCompliance Posture Monitoring and Reporting (server configuration management), Treasury\nEnhanced Security Initiative (workstation configuration management), Altiris (Windows server\npatching), Guardium (database scanning), Knowledge Incident/Problem Service Asset\nManagement (asset inventory), CiscoWorks (network management), Tivoli (older asset\nmanagement tool), and a central repository for warehousing and integrating the collected data.\nThe Cybersecurity organization has prepared an Information Technology Security Controls\nTools Strategy for planning how all of this data will be organized and combined to provide\nnear-real-time enterprise security intelligence for decision making.\n\n                                                                                            Page 9\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                 Information Security Management Act Report for Fiscal Year 2012\n\n\n\nAs mentioned above, the Enterprise Services organization is also implementing a configuration\nand change management tool, called the ECMS. This solution is comprised of a number of\ncommercial off-the-shelf products that include a configuration item discovery tool (the\nDiscovery and Dependency Mapping Advanced tool), a central repository of configuration items\nand related components, change management analysis, and other tools for monitoring and\nmaintaining configuration compliance. The Enterprise Services organization stated that until the\nECMS is implemented, the IRS will continue to lack the capability to effectively implement\nconfiguration and change management.\nWe believe the IRS should ensure that data collected by its various tools and organizations will\nbe efficiently utilized and that the IRS is not developing duplicative configuration management\nprocesses or products. For example, our discussions with the Cybersecurity and Enterprise\nServices organizations revealed that an approach for integrating the configuration management\ndata collected by both organizations has not yet been formulated.\n\nIdentity and Access Management\nProper identity and access management ensures that users and devices are properly authorized to\naccess information or information systems. Users and devices must be authenticated to ensure\nthat they are who they identify themselves to be. In most systems, a user name and password\nserve as the primary means of authentication, while the system enforces authorized access rules\nestablished by the system administrator. To ensure that only authorized users and devices have\naccess to a system, policy and procedures must be in place for the creation, distribution,\nmaintenance, and eventual termination of accounts. The use of Personal Identity Verification\n(PIV) cards by all agencies, required by Homeland Security Presidential Directive-12\n(HSPD-12),11 is a major component of a secure, Government-wide account and identity\nmanagement system.\nThe IRS has not fully implemented the following seven identity and access management\nattributes specified by the DHS metrics:\n     3.1.4. If multifactor authentication is in use, it is linked to the organization\xe2\x80\x99s PIV program,\n            where appropriate.\n     3.1.5. Organization has adequately planned for implementation of PIV for logical access in\n            accordance with government policies.\n\n\n\n11\n  On August 27, 2004, President Bush signed HSPD-12, Policy for a Common Identification Standard for Federal\nEmployees and Contractors. This directive established a new standard for issuing and maintaining identification\nbadges for Federal employees and contractors entering Government facilities and accessing computer systems. The\nintent was to improve security, increase Government efficiency, reduce identity fraud, and protect personal privacy.\nAgencies are required to use PIV badges (also referred to as SmartID cards) to access computer systems (logical\naccess).\n                                                                                                           Page 10\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n     3.1.6. Ensures that the users are granted access based on needs and separation of duties\n            principles.\n     3.1.7. Identifies devices with Internet Protocol addresses that are attached to the network\n            and distinguishes these devices from users.\n     3.1.8. Identifies all user and nonuser accounts (refers to user accounts that are on a system.)\n     3.1.9. Ensures that accounts are terminated or deactivated once access is no longer required.\n     3.1.10. Identifies and controls use of shared accounts.\n3.1.4. If multifactor authentication is in use, it is linked to the organization\xe2\x80\x99s PIV program,\nwhere appropriate.\nDuring the FY 2012 FISMA evaluation period, the TIGTA concluded fieldwork on an audit to\nevaluate the implementation and security of the IRS\xe2\x80\x99s two-factor authentication for logical\n(system) access.12 The IRS has not deployed multifactor authentication via the use of an\nHSPD-12 PIV card for all users for network and local access to nonprivileged or privileged\naccounts as required by Federal mandate. Therefore, the IRS\xe2\x80\x99s multifactor authentication is not\nyet linked to its PIV program.\n3.1.5. Organization has adequately planned for implementation of PIV for logical access in\naccordance with Government policies.\nThe IRS has experienced significant delays in deploying PIV cards for logical access, which\nreveals the IRS\xe2\x80\x99s inadequate planning efforts. The Federal Government mandated that agencies\nimplement PIV cards to access computer systems in August 2004. The IRS originally planned to\ncomplete the deployment by September 2011. The deployment is now planned to be completed\nby July 2013, but various issues threaten further delays, including:\n     \xef\x82\xb7   The inability of the IRS to require its employees to use their PIV cards for logical access\n         to the network because it did not negotiate mandatory use of the cards with the National\n         Treasury Employees Union.\n     \xef\x82\xb7   Resolving PIV card deployment for system administrators, who currently require separate\n         identities to perform administrator services on computer systems.\n     \xef\x82\xb7   The large number (1,888) of IRS applications that are not yet PIV card-enabled and the\n         lack of resources to change these existing applications.\n\n\n\n\n12\n  TIGTA, Ref. No. 2012-20-115, Using SmartID Cards to Access Computer Systems Is Taking Longer Than\nExpected (Sept. 2012).\n                                                                                                 Page 11\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                 Information Security Management Act Report for Fiscal Year 2012\n\n\n\n3.1.6. Ensures that the users are granted access based on needs and separation of duties\nprinciples.\nTwo of the three GSSs in our sample did not have the controls in place to ensure users are\ngranted access based on needs or to enforce separation of duties. Applications residing on GSSs\noften rely on the GSS to implement these controls; therefore, the applications residing on these\nGSSs would also inherit these weaknesses.\nThe most recent security control assessment for one of the two GSSs that did not have these\ncontrols in place stated that accounts are not managed, enforced, separated, or deployed with\nleast privilege in accordance with IRS policy requirements for all GSS components. Also, the\nmost recent security control assessment for the other GSS found controls for granting access\nbased on needs and for separation of duties were not implemented. For example, the operating\nsystem administrator could perform database administrator functions.\nIn addition, the GAO reported in March 201213 that IRS authorization controls were not always\nfunctioning as intended and access authorization policies were not effectively implemented. For\nexample, systems used to process tax and financial information did not fully prevent access by\nunauthorized users or excessive levels of access for authorized users. In addition, the IRS\xe2\x80\x99s\ncompliance checks revealed unauthorized access to another system. During its monthly\ncompliance check in August 2011, the IRS identified 16 users who had been granted access to\nthe procurement system without receiving approval from the IRS\xe2\x80\x99s authorization system. Also,\nthe data in a shared work area used to support accounting operations were fully accessible by\nnetwork administration staff although they did not need such access.\n3.1.7. Identifies devices with Internet Protocol addresses that are attached to the network\nand distinguishes these devices from users.\nThe IRS informed us that Business DNA will be its enterprise asset discovery tool for identifying\ndevices on its network. Business DNA network scans can identify devices with Internet Protocol\naddresses that are attached to the network and distinguish these devices from users. However,\nthe full implementation of the Business DNA tool is not expected to be completed until\nSeptember 2012. Therefore, the IRS has not yet fully implemented this attribute.\nWe also found that one of our three sample GSSs did not have device identification and\nauthentication in place. It did not uniquely identify and authenticate devices or users before\nestablishing a connection. Also, its firewalls did not use the Terminal Access Controller Access\nControl System14 to authenticate organization users or devices. Rather, these firewalls were\naccessed via a shared administrator account.\n\n\n13\n   GAO, GAO-12-393, IRS Needs to Further Enhance Internal Control Over Financial Reporting and Taxpayer\nData (Mar. 2012).\n14\n   An enterprise access control security system that provides device/network access authentication, authorization,\nand accounting.\n                                                                                                            Page 12\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n3.1.8. Identifies all user and nonuser accounts.\nNo information was provided to determine how the IRS identifies all user and nonuser accounts.\n3.1.9. Ensures that accounts are terminated or deactivated once access is no longer\nrequired.\nThree of our 10 sample systems (two GSSs and one application) did not have controls in place to\nensure accounts are terminated or deactivated once access is no longer needed. The most recent\nsecurity control assessment for one GSS found:\n     \xef\x82\xb7   The system did not disable inactive accounts after 120 days of inactivity and did not\n         employ automated mechanisms to audit account creation, modification, disabling, and\n         termination actions.\n     \xef\x82\xb7   Evidence was not provided to ensure system accounts are reviewed at least annually.\n     \xef\x82\xb7   The system was not configured to notify appropriate individuals when accounts were\n         modified.\n     \xef\x82\xb7   Evidence was not provided to ensure system accounts were reviewed at least annually\n         and automated mechanisms were employed to support system account management\n         functions.\n     \xef\x82\xb7   No automated mechanisms existed to support information system account management\n         functions.\n     \xef\x82\xb7   Inactive accounts were not automatically disabled.\nFor the other GSS, the most recent security control assessment found:\n     \xef\x82\xb7   Accounts were not automatically disabled.\n     \xef\x82\xb7   The log files did not contain any evidence of logging the account creation, modification,\n         disabling, and termination actions of a user account.\nFor the one application, its most recent security control assessment found that it did not disable\naccounts after 45 days or remove accounts after 90 days of inactivity.\nFurther, the GAO reported in March 201215 that the IRS had not taken actions to remove active\napplication accounts in a timely manner for employees who had separated or no longer needed\naccess.\n\n\n\n\n15\n GAO, GAO-12-393, IRS Needs to Further Enhance Internal Control Over Financial Reporting and Taxpayer\nData (Mar. 2012).\n                                                                                                Page 13\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n3.1.10. Identifies and controls use of shared accounts.\nOne of the GSSs in our sample was not adequately identifying and controlling use of shared\naccounts. The most recent security control assessment found that the administrative account for\nthis GSS was shared. For example, the operating system administrator had the ability to \xe2\x80\x9cswitch\nuser\xe2\x80\x9d into Oracle using the \xe2\x80\x9croot\xe2\x80\x9d password. This login process is not uniquely linked to any one\nindividual. Rather, this access is \xe2\x80\x9cshared\xe2\x80\x9d among the operating system administrators. Sharing\nthis account in this manner allows fully privileged actions to be taken on the system without any\naccountability. In addition, passwords were stored and transmitted in plaintext.\nAlso, in June 2012, the TIGTA reported16 that administrative accounts on Windows servers were\nnot being properly safeguarded in accordance with IRS policy. Specifically, administrators in\ntwo IRS organizations were using the built-in system administrator accounts to perform normal\nadministrative duties rather than only in emergencies as required by IRS policy. Seven\nadministrators in one organization and 14 administrators in the other were sharing the password\nto the built-in accounts and were using these accounts for administrative tasks rather than using\ntheir unique role-based administrator accounts. Consequently, individual accountability was lost\nas to by whom and for what purposes these full-privileged accounts were being accessed.\n\nSecurity Training\nThe FISMA requires all Government personnel and contractors to complete annual security\nawareness training that provides instruction on threats to data security and responsibilities for\ninformation protection. It also requires specialized training for personnel and contractors with\nsignificant security responsibilities. Without adequate security training programs, agencies\ncannot provide appropriate training or ensure that all personnel receive the required training.\nThe IRS had not fully implemented the following security training attribute specified by the DHS\nmetrics: 6.1.5. Identification and tracking of the status of specialized training for all personnel\n(including employees, contractors, and other organization users) with significant information\nsecurity responsibilities that require specialized training.\n6.1.5. Identification and tracking of the status of specialized training for all personnel\n(including employees, contractors, and other organization users) with significant\ninformation security responsibilities that require specialized training.\nThe DHS provided clarification for this attribute as it relates to contractors, stating that agencies\nshould be providing and tracking completion of specialized training for contractors just as they\nwould for Federal employees. The specialized training requirement is based on the role of the\ncontractor, not just on contractor status. Whoever holds a significant security role needs to\nreceive specialized role-based training.\n\n16\n  TIGTA, Ref. No. 2012-20-063, Enterprise-Level Oversight Is Needed to Ensure Adherence to Windows Server\nSecurity Policies (June 2012).\n                                                                                                   Page 14\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\nThe IRS has not fully implemented identification and tracking of the status of specialized\nrole-based training for contractors. However, the IRS stated it is making plans to implement\nsuch tracking by October 15, 2012. The Contractor Security Management office in the\nAgency-Wide Shared Services organization is currently leading efforts to modify its contractor\ntracking system to allow the identification of those contractors with significant security\nresponsibilities, with subsequent plans to implement a process to monitor and track completion\nof contractor specialized training. Once identified, the IRS would rely on the contractors to\nprovide and self-report the completion of their required specialized training hours. Preliminary\nIRS results indicated that 919 such contractors were employed during the FISMA FY 2012\nreporting period, with only 99 of those having confirmed that they completed the required\ntraining.\nThe IRS did not agree that it should provide specialized training for contractors and supported its\nposition by citing the U.S. Office of Personnel Management\xe2\x80\x99s Training Policy Handbook, which\nstates:\n       Since contractors are selected for their expertise in a subject area, contractors may only\n       be trained in skills they are not required to bring to the job. Contractors may be trained\n       in rules, practices, procedures, and/or systems that are unique to the employing agency\n       and essential to the performance of the contractor\xe2\x80\x99s assigned duties, such as agency\n       computer security procedures. However, the authority for training of contractors is not\n       in training law. It is in the authority to administer contracts. Training of contractors is\n       subject to the decision of the chief contracting official.\nThe IRS stated that to require it to provide, track, and report specialized training completions for\ncontractors would present significant challenges, including requiring thousands of contract\nlanguage modifications before it could enforce this requirement for contract employees.\n\n\n\n\n                                                                                            Page 15\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                                                                                           Appendix I\n\n                  Fiscal Year 2012 Reporting Metrics\n\nPresented below is the list of reporting metrics questions and information as detailed in the\nFiscal Year 2012 Inspector General Federal Information Security Management Act (FISMA)\nReporting Metrics.1 The list is presented in its entirety, along with the accompanying Purpose\nand Use information. Following each metric is a notation identifying each individual question as\nan Administration Priority (AP), a Key FISMA Metric (KFM), or a Baseline Question (Base).\nMany abbreviations in this list are used as presented in the original document and are not defined\ntherein. However, we have provided the definitions in the Abbreviations page after the Table of\nContents of this report.\n\n1.      CONTINUOUS\tMONITORING\tMANAGEMENT\t\t\n        1.1.    Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0an\xc2\xa0enterprise\xe2\x80\x90wide\xc2\xa0continuous\xc2\xa0monitoring\xc2\xa0program\xc2\xa0\n                that\xc2\xa0assesses\xc2\xa0the\xc2\xa0security\xc2\xa0state\xc2\xa0of\xc2\xa0information\xc2\xa0systems\xc2\xa0that\xc2\xa0is\xc2\xa0consistent\xc2\xa0with\xc2\xa0FISMA\xc2\xa0\n                requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0\n                improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0\n                program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                1.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0continuous\xc2\xa0monitoring\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0\n                       CA\xe2\x80\x907).\xc2\xa0(AP)\xc2\xa0\n                1.1.2. Documented\xc2\xa0strategy\xc2\xa0and\xc2\xa0plans\xc2\xa0for\xc2\xa0continuous\xc2\xa0monitoring\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9037\xc2\xa0Rev.\xc2\xa01,\xc2\xa0\n                       Appendix\xc2\xa0G).\xc2\xa0(AP)\xc2\xa0\n                1.1.3. Ongoing\xc2\xa0assessments\xc2\xa0of\xc2\xa0security\xc2\xa0controls\xc2\xa0(system\xe2\x80\x90specific,\xc2\xa0hybrid,\xc2\xa0and\xc2\xa0common)\xc2\xa0\n                         that\xc2\xa0have\xc2\xa0been\xc2\xa0performed\xc2\xa0based\xc2\xa0on\xc2\xa0the\xc2\xa0approved\xc2\xa0continuous\xc2\xa0monitoring\xc2\xa0plans\xc2\xa0\n                         (NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9053A).\xc2\xa0(AP)\xc2\xa0\n                1.1.4. Provides\xc2\xa0authorizing\xc2\xa0officials\xc2\xa0and\xc2\xa0other\xc2\xa0key\xc2\xa0system\xc2\xa0officials\xc2\xa0with\xc2\xa0security\xc2\xa0status\xc2\xa0\n                         reports\xc2\xa0covering\xc2\xa0updates\xc2\xa0to\xc2\xa0security\xc2\xa0plans\xc2\xa0and\xc2\xa0security\xc2\xa0assessment\xc2\xa0reports\xc2\xa0as\xc2\xa0\n                         well\xc2\xa0as\xc2\xa0POA&M\xc2\xa0additions\xc2\xa0and\xc2\xa0updates,\xc2\xa0with\xc2\xa0the\xc2\xa0frequency\xc2\xa0defined\xc2\xa0in\xc2\xa0the\xc2\xa0\n                         strategy\xc2\xa0and/or\xc2\xa0plans\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9053A).\xc2\xa0(AP)\xc2\xa0\n\n\n\n\n1\n U.S. Department of Homeland Security, National Cyber Security Division, Fiscal Year 2012 Inspector General\nFederal Information Security Management Act Reporting Metrics, pp. 6\xe2\x80\x9317 (Mar. 2012). The FISMA is encoded in\nTitle III of the E-Government Act of 2002; Pub. L. No. 107-374, 116 Stat. 2899.\n                                                                                                   Page 16\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n         1.2.    Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                 continuous\xc2\xa0monitoring\xc2\xa0management\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0\n                 above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   The\xc2\xa0Federal\xc2\xa0Continuous\xc2\xa0Monitoring\xc2\xa0Working\xc2\xa0Group\xc2\xa0(CMWG)\xc2\xa0has\xc2\xa0determined\xc2\xa0that\xc2\xa0continuous\xc2\xa0\n         monitoring\xc2\xa0(CM)\xc2\xa0of\xc2\xa0configurations\xc2\xa0is\xc2\xa0one\xc2\xa0of\xc2\xa0the\xc2\xa0first\xc2\xa0areas\xc2\xa0where\xc2\xa0CM\xc2\xa0capabilities\xc2\xa0need\xc2\xa0to\xc2\xa0be\xc2\xa0\n         developed.\xc2\xa0\xc2\xa0This\xc2\xa0applies\xc2\xa0to\xc2\xa0both\xc2\xa0operating\xc2\xa0systems\xc2\xa0and\xc2\xa0widely\xc2\xa0used\xc2\xa0applications.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   Even\xc2\xa0with\xc2\xa0a\xc2\xa0completely\xc2\xa0hardened\xc2\xa0system,\xc2\xa0exploitation\xc2\xa0may\xc2\xa0still\xc2\xa0occur\xc2\xa0due\xc2\xa0to\xc2\xa0zero\xe2\x80\x90day\xc2\xa0\n         vulnerabilities.\xc2\xa0\xc2\xa0However,\xc2\xa0this\xc2\xa0forces\xc2\xa0attackers\xc2\xa0to\xc2\xa0elevate\xc2\xa0their\xc2\xa0sophistication\xc2\xa0for\xc2\xa0successful\xc2\xa0\n         attacks.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   Rather,\xc2\xa0a\xc2\xa0robust\xc2\xa0continuous\xc2\xa0monitoring\xc2\xa0solution\xc2\xa0will\xc2\xa0be\xc2\xa0able\xc2\xa0to\xc2\xa0provide\xc2\xa0additional\xc2\xa0visibility\xc2\xa0for\xc2\xa0\n         organizations\xc2\xa0to\xc2\xa0identify\xc2\xa0signs\xc2\xa0of\xc2\xa0compromise,\xc2\xa0though\xc2\xa0no\xc2\xa0single\xc2\xa0indicator\xc2\xa0may\xc2\xa0identify\xc2\xa0a\xc2\xa0\n         definitive\xc2\xa0incident.\xc2\xa0\xc2\xa0\n\n2.       CONFIGURATION\tMANAGEMENT\t\t\n         2.1.    Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0a\xc2\xa0security\xc2\xa0configuration\xc2\xa0management\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0\n                 consistent\xc2\xa0with\xc2\xa0FISMA\xc2\xa0requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines?\xc2\xa0\xc2\xa0If\xc2\xa0\n                 yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0\n                 does\xc2\xa0the\xc2\xa0program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                 2.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0configuration\xc2\xa0management.\xc2\xa0(Base)\xc2\xa0\n                 2.1.2. Standard\xc2\xa0baseline\xc2\xa0configurations\xc2\xa0defined.\xc2\xa0(Base)\xc2\xa0\n                 2.1.3. Assessing\xc2\xa0for\xc2\xa0compliance\xc2\xa0with\xc2\xa0baseline\xc2\xa0configurations.\xc2\xa0(Base)\xc2\xa0\n                 2.1.4. Process\xc2\xa0for\xc2\xa0timely,\xc2\xa0as\xc2\xa0specified\xc2\xa0in\xc2\xa0organization\xc2\xa0policy\xc2\xa0or\xc2\xa0standards,\xc2\xa0remediation\xc2\xa0\n                        of\xc2\xa0scan\xc2\xa0result\xc2\xa0deviations.\xc2\xa0(Base)\xc2\xa0\n                 2.1.5. For\xc2\xa0Windows\xe2\x80\x90based\xc2\xa0components,\xc2\xa0FDCC/USGCB\xc2\xa0secure\xc2\xa0configuration\xc2\xa0settings\xc2\xa0\n                         fully\xc2\xa0implemented\xc2\xa0and\xc2\xa0any\xc2\xa0deviations\xc2\xa0from\xc2\xa0FDCC/USGCB\xc2\xa0baseline\xc2\xa0settings\xc2\xa0fully\xc2\xa0\n                         documented.\xc2\xa0(Base)\xc2\xa0\n                 2.1.6. Documented\xc2\xa0proposed\xc2\xa0or\xc2\xa0actual\xc2\xa0changes\xc2\xa0to\xc2\xa0hardware\xc2\xa0and\xc2\xa0software\xc2\xa0\n                        configurations.\xc2\xa0(Base)\xc2\xa0\n                 2.1.7. Process\xc2\xa0for\xc2\xa0timely\xc2\xa0and\xc2\xa0secure\xc2\xa0installation\xc2\xa0of\xc2\xa0software\xc2\xa0patches.\xc2\xa0(Base)\xc2\xa0\n                 2.1.8. Software\xc2\xa0assessing\xc2\xa0(scanning)\xc2\xa0capabilities\xc2\xa0are\xc2\xa0fully\xc2\xa0implemented\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0\n                        RA\xe2\x80\x905,\xc2\xa0SI\xe2\x80\x902).\xc2\xa0(Base)\xc2\xa0\n\n\n                                                                                                     Page 17\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                2.1.9. Configuration\xe2\x80\x90related\xc2\xa0vulnerabilities,\xc2\xa0including\xc2\xa0scan\xc2\xa0findings,\xc2\xa0have\xc2\xa0been\xc2\xa0\n                        remediated\xc2\xa0in\xc2\xa0a\xc2\xa0timely\xc2\xa0manner,\xc2\xa0as\xc2\xa0specified\xc2\xa0in\xc2\xa0organization\xc2\xa0policy\xc2\xa0or\xc2\xa0standards.\xc2\xa0\n                        (NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0CM\xe2\x80\x904,\xc2\xa0CM\xe2\x80\x906,\xc2\xa0RA\xe2\x80\x905,\xc2\xa0SI\xe2\x80\x902).\xc2\xa0(Base)\xc2\xa0\n                2.1.10. Patch\xc2\xa0management\xc2\xa0process\xc2\xa0is\xc2\xa0fully\xc2\xa0developed,\xc2\xa0as\xc2\xa0specified\xc2\xa0in\xc2\xa0organization\xc2\xa0policy\xc2\xa0\n                        or\xc2\xa0standards.\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0CM\xe2\x80\x903,\xc2\xa0SI\xe2\x80\x902).\xc2\xa0(Base)\xc2\xa0\n         2.2.   Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                configuration\xc2\xa0management\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   A\xc2\xa0key\xc2\xa0goal\xc2\xa0of\xc2\xa0configuration\xc2\xa0management\xc2\xa0is\xc2\xa0to\xc2\xa0make\xc2\xa0assets\xc2\xa0harder\xc2\xa0to\xc2\xa0exploit\xc2\xa0through\xc2\xa0better\xc2\xa0\n         configuration.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   A\xc2\xa0key\xc2\xa0assumption\xc2\xa0is\xc2\xa0that\xc2\xa0configuration\xc2\xa0management\xc2\xa0covers\xc2\xa0the\xc2\xa0universe\xc2\xa0of\xc2\xa0assets\xc2\xa0to\xc2\xa0which\xc2\xa0\n         other\xc2\xa0controls\xc2\xa0need\xc2\xa0to\xc2\xa0be\xc2\xa0applied\xc2\xa0(controls\xc2\xa0that\xc2\xa0are\xc2\xa0defined\xc2\xa0under\xc2\xa0asset\xc2\xa0management).\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   To\xc2\xa0have\xc2\xa0a\xc2\xa0capable\xc2\xa0configuration\xc2\xa0management\xc2\xa0program,\xc2\xa0the\xc2\xa0configuration\xc2\xa0management\xc2\xa0\n         capability\xc2\xa0needs\xc2\xa0to\xc2\xa0be:\xc2\xa0\xc2\xa0\n            o   Relatively\xc2\xa0complete,\xc2\xa0covering\xc2\xa0enough\xc2\xa0of\xc2\xa0the\xc2\xa0software\xc2\xa0base\xc2\xa0to\xc2\xa0significantly\xc2\xa0increase\xc2\xa0the\xc2\xa0\n                effort\xc2\xa0required\xc2\xa0for\xc2\xa0a\xc2\xa0successful\xc2\xa0attack.\xc2\xa0\xc2\xa0\n            o   Relatively\xc2\xa0timely,\xc2\xa0being\xc2\xa0able\xc2\xa0to\xc2\xa0find\xc2\xa0and\xc2\xa0fix\xc2\xa0configuration\xc2\xa0deviations\xc2\xa0faster\xc2\xa0than\xc2\xa0they\xc2\xa0can\xc2\xa0\n                be\xc2\xa0exploited.\xc2\xa0\xc2\xa0\n\n3.       IDENTITY\tAND\tACCESS\tMANAGEMENT\xc2\xa0\n         3.1.   Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0an\xc2\xa0identity\xc2\xa0and\xc2\xa0access\xc2\xa0management\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0\n                consistent\xc2\xa0with\xc2\xa0FISMA\xc2\xa0requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines\xc2\xa0and\xc2\xa0\n                identifies\xc2\xa0users\xc2\xa0and\xc2\xa0network\xc2\xa0devices?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0improvement\xc2\xa0opportunities\xc2\xa0\n                that\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                3.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0account\xc2\xa0and\xc2\xa0identity\xc2\xa0management\xc2\xa0\n                       (NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0AC\xe2\x80\x901).\xc2\xa0(Base)\xc2\xa0\n                3.1.2. Identifies\xc2\xa0all\xc2\xa0users,\xc2\xa0including\xc2\xa0Federal\xc2\xa0employees,\xc2\xa0contractors,\xc2\xa0and\xc2\xa0others\xc2\xa0who\xc2\xa0\n                       access\xc2\xa0organization\xc2\xa0systems\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0AC\xe2\x80\x902).\xc2\xa0(Base)\xc2\xa0\n                3.1.3. Identifies\xc2\xa0when\xc2\xa0special\xc2\xa0access\xc2\xa0requirements\xc2\xa0(e.g.,\xc2\xa0multifactor\xc2\xa0authentication)\xc2\xa0\n                       are\xc2\xa0necessary.\xc2\xa0(Base)\xc2\xa0\n                3.1.4. If\xc2\xa0multifactor\xc2\xa0authentication\xc2\xa0is\xc2\xa0in\xc2\xa0use,\xc2\xa0it\xc2\xa0is\xc2\xa0linked\xc2\xa0to\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0PIV\xc2\xa0\n                       program,\xc2\xa0where\xc2\xa0appropriate\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0IA\xe2\x80\x902).\xc2\xa0(KFM)\xc2\xa0\n\n\n                                                                                                     Page 18\n\x0c                  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n               Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                3.1.5. Organization\xc2\xa0has\xc2\xa0adequately\xc2\xa0planned\xc2\xa0for\xc2\xa0implementation\xc2\xa0of\xc2\xa0PIV\xc2\xa0for\xc2\xa0logical\xc2\xa0\n                        access\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0Government\xc2\xa0policies\xc2\xa0(HSPD\xe2\x80\x9012,\xc2\xa0FIPS\xc2\xa0201,\xc2\xa0\n                        OMB\xc2\xa0M\xe2\x80\x9005\xe2\x80\x9024,\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9007\xe2\x80\x9006,\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9008\xe2\x80\x9001,\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9011\xe2\x80\x9011).\xc2\xa0(AP)\xc2\xa0\n                3.1.6. Ensures\xc2\xa0that\xc2\xa0the\xc2\xa0users\xc2\xa0are\xc2\xa0granted\xc2\xa0access\xc2\xa0based\xc2\xa0on\xc2\xa0needs\xc2\xa0and\xc2\xa0separation\xc2\xa0of\xc2\xa0\n                       duties\xc2\xa0principles.\xc2\xa0(Base)\xc2\xa0\n                3.1.7. Identifies\xc2\xa0devices\xc2\xa0with\xc2\xa0IP\xc2\xa0addresses\xc2\xa0that\xc2\xa0are\xc2\xa0attached\xc2\xa0to\xc2\xa0the\xc2\xa0network\xc2\xa0and\xc2\xa0\n                        distinguishes\xc2\xa0these\xc2\xa0devices\xc2\xa0from\xc2\xa0users.\xc2\xa0\xc2\xa0(For\xc2\xa0example:\xc2\xa0\xc2\xa0IP\xc2\xa0phones,\xc2\xa0faxes,\xc2\xa0and\xc2\xa0\n                        printers\xc2\xa0are\xc2\xa0examples\xc2\xa0of\xc2\xa0devices\xc2\xa0attached\xc2\xa0to\xc2\xa0the\xc2\xa0network\xc2\xa0that\xc2\xa0are\xc2\xa0\n                        distinguishable\xc2\xa0from\xc2\xa0desktops,\xc2\xa0laptops,\xc2\xa0or\xc2\xa0servers\xc2\xa0that\xc2\xa0have\xc2\xa0user\xc2\xa0accounts.)\xc2\xa0\n                        (Base)\xc2\xa0\n                3.1.8. Identifies\xc2\xa0all\xc2\xa0user\xc2\xa0and\xc2\xa0nonuser\xc2\xa0accounts\xc2\xa0(refers\xc2\xa0to\xc2\xa0user\xc2\xa0accounts\xc2\xa0that\xc2\xa0are\xc2\xa0on\xc2\xa0a\xc2\xa0\n                        system.\xc2\xa0\xc2\xa0Examples\xc2\xa0of\xc2\xa0nonuser\xc2\xa0accounts\xc2\xa0are\xc2\xa0accounts\xc2\xa0such\xc2\xa0as\xc2\xa0an\xc2\xa0IP\xc2\xa0that\xc2\xa0is\xc2\xa0set\xc2\xa0up\xc2\xa0\n                        for\xc2\xa0printing.\xc2\xa0\xc2\xa0Data\xc2\xa0user\xc2\xa0accounts\xc2\xa0are\xc2\xa0created\xc2\xa0to\xc2\xa0pull\xc2\xa0generic\xc2\xa0information\xc2\xa0from\xc2\xa0a\xc2\xa0\n                        database\xc2\xa0or\xc2\xa0a\xc2\xa0guest/anonymous\xc2\xa0account\xc2\xa0for\xc2\xa0generic\xc2\xa0login\xc2\xa0purposes\xc2\xa0that\xc2\xa0are\xc2\xa0not\xc2\xa0\n                        associated\xc2\xa0with\xc2\xa0a\xc2\xa0single\xc2\xa0user\xc2\xa0or\xc2\xa0a\xc2\xa0specific\xc2\xa0group\xc2\xa0of\xc2\xa0users.)\xc2\xa0(Base)\xc2\xa0\n                3.1.9. Ensures\xc2\xa0that\xc2\xa0accounts\xc2\xa0are\xc2\xa0terminated\xc2\xa0or\xc2\xa0deactivated\xc2\xa0once\xc2\xa0access\xc2\xa0is\xc2\xa0no\xc2\xa0longer\xc2\xa0\n                       required.\xc2\xa0(Base)\xc2\xa0\n                3.1.10. Identifies\xc2\xa0and\xc2\xa0controls\xc2\xa0use\xc2\xa0of\xc2\xa0shared\xc2\xa0accounts.\xc2\xa0(Base)\xc2\xa0\n        3.2.    Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                identity\xc2\xa0and\xc2\xa0access\xc2\xa0management\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n    \xef\x82\xb7   OMB\xc2\xa0and\xc2\xa0DHS\xc2\xa0have\xc2\xa0determined\xc2\xa0that\xc2\xa0Federal\xc2\xa0identity\xc2\xa0management\xc2\xa0(HSPD\xe2\x80\x9012)\xc2\xa0is\xc2\xa0among\xc2\xa0the\xc2\xa0\n        areas\xc2\xa0where\xc2\xa0additional\xc2\xa0controls\xc2\xa0need\xc2\xa0to\xc2\xa0be\xc2\xa0developed.\xc2\xa0\xc2\xa0See\xc2\xa0also\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9004\xe2\x80\x9004\xc2\xa0for\xc2\xa0web\xe2\x80\x90based\xc2\xa0\n        systems.\xc2\xa0\xc2\xa0\n    \xef\x82\xb7   Strong\xc2\xa0information\xc2\xa0system\xc2\xa0authentication\xc2\xa0requires\xc2\xa0multiple\xc2\xa0factors\xc2\xa0to\xc2\xa0securely\xc2\xa0authenticate\xc2\xa0a\xc2\xa0\n        user.\xc2\xa0\xc2\xa0Secure\xc2\xa0authentication\xc2\xa0requires\xc2\xa0something\xc2\xa0you\xc2\xa0have,\xc2\xa0something\xc2\xa0you\xc2\xa0are,\xc2\xa0and\xc2\xa0something\xc2\xa0\n        you\xc2\xa0know.\xc2\xa0\xc2\xa0A\xc2\xa0single\xe2\x80\x90factor\xc2\xa0authentication\xc2\xa0mechanism,\xc2\xa0such\xc2\xa0as\xc2\xa0a\xc2\xa0username\xc2\xa0and\xc2\xa0password,\xc2\xa0is\xc2\xa0\n        insufficient\xc2\xa0to\xc2\xa0block\xc2\xa0even\xc2\xa0basic\xc2\xa0attackers.\xc2\xa0\xc2\xa0\n    \xef\x82\xb7   The\xc2\xa0USG\xc2\xa0will\xc2\xa0first\xc2\xa0move\xc2\xa0to\xc2\xa0a\xc2\xa0two\xe2\x80\x90factor\xc2\xa0authentication\xc2\xa0using\xc2\xa0PIV\xc2\xa0cards,\xc2\xa0though\xc2\xa0a\xc2\xa0stronger\xc2\xa0\n        authentication\xc2\xa0solution\xc2\xa0would\xc2\xa0include\xc2\xa0all\xc2\xa0three\xc2\xa0factors.\xc2\xa0\n    \xef\x82\xb7   Enhanced\xc2\xa0identity\xc2\xa0management\xc2\xa0solutions\xc2\xa0also\xc2\xa0support\xc2\xa0the\xc2\xa0adoption\xc2\xa0of\xc2\xa0additional\xc2\xa0nonsecurity\xc2\xa0\n        benefits,\xc2\xa0such\xc2\xa0as\xc2\xa0single\xc2\xa0sign\xe2\x80\x90on,\xc2\xa0more\xc2\xa0useable\xc2\xa0systems,\xc2\xa0and\xc2\xa0enhanced\xc2\xa0identity\xc2\xa0capabilities\xc2\xa0for\xc2\xa0\n        legal\xc2\xa0and\xc2\xa0nonrepudiation\xc2\xa0needs.\xc2\xa0\xc2\xa0\n\n\n                                                                                                 Page 19\n\x0c                     Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                  Information Security Management Act Report for Fiscal Year 2012\n\n\n\n     \xef\x82\xb7   A\xc2\xa0key\xc2\xa0goal\xc2\xa0of\xc2\xa0identity\xc2\xa0and\xc2\xa0access\xc2\xa0management\xc2\xa0is\xc2\xa0to\xc2\xa0make\xc2\xa0sure\xc2\xa0that\xc2\xa0access\xc2\xa0rights\xc2\xa0are\xc2\xa0only\xc2\xa0given\xc2\xa0\n         to\xc2\xa0the\xc2\xa0intended\xc2\xa0individuals\xc2\xa0and/or\xc2\xa0processes.2 \xc2\xa0\n     \xef\x82\xb7   To\xc2\xa0have\xc2\xa0a\xc2\xa0capable\xc2\xa0identity\xc2\xa0management\xc2\xa0program,\xc2\xa0this\xc2\xa0capability\xc2\xa0needs\xc2\xa0to\xc2\xa0be:\xc2\xa0\xc2\xa0\n              o   Relatively\xc2\xa0complete,\xc2\xa0covering\xc2\xa0all\xc2\xa0accounts.\xc2\xa0\xc2\xa0\n              o   Relatively\xc2\xa0timely,\xc2\xa0being\xc2\xa0able\xc2\xa0to\xc2\xa0find\xc2\xa0and\xc2\xa0remove\xc2\xa0stale\xc2\xa0or\xc2\xa0compromised\xc2\xa0accounts\xc2\xa0faster\xc2\xa0\n                  than\xc2\xa0they\xc2\xa0can\xc2\xa0be\xc2\xa0exploited.\xc2\xa0\xc2\xa0\n\n4.       INCIDENT\tRESPONSE\tAND\tREPORTING\xc2\xa0\n         4.1.     Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0an\xc2\xa0incident\xc2\xa0response\xc2\xa0and\xc2\xa0reporting\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0\n                  consistent\xc2\xa0with\xc2\xa0FISMA\xc2\xa0requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines?\xc2\xa0\xc2\xa0If\xc2\xa0\n                  yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0\n                  does\xc2\xa0the\xc2\xa0program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                  4.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0detecting,\xc2\xa0responding\xc2\xa0to,\xc2\xa0and\xc2\xa0\n                         reporting\xc2\xa0incidents\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0IR\xe2\x80\x901).\xc2\xa0(Base)\xc2\xa0\n                  4.1.2. Comprehensive\xc2\xa0analysis,\xc2\xa0validation,\xc2\xa0and\xc2\xa0documentation\xc2\xa0of\xc2\xa0incidents.\xc2\xa0(KFM)\xc2\xa0\n                  4.1.3. When\xc2\xa0applicable,\xc2\xa0reports\xc2\xa0to\xc2\xa0US\xe2\x80\x90CERT\xc2\xa0within\xc2\xa0established\xc2\xa0time\xc2\xa0frames\xc2\xa0\n                         (NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0800\xe2\x80\x9061,\xc2\xa0and\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9007\xe2\x80\x9016,\xc2\xa0M\xe2\x80\x9006\xe2\x80\x9019).\xc2\xa0(KFM)\xc2\xa0\n                  4.1.4. When\xc2\xa0applicable,\xc2\xa0reports\xc2\xa0to\xc2\xa0law\xc2\xa0enforcement\xc2\xa0within\xc2\xa0established\xc2\xa0time\xc2\xa0frames\xc2\xa0\n                         (SP\xc2\xa0800\xe2\x80\x9086).\xc2\xa0(KFM)\xc2\xa0\n                  4.1.5. Responds\xc2\xa0to\xc2\xa0and\xc2\xa0resolves\xc2\xa0incidents\xc2\xa0in\xc2\xa0a\xc2\xa0timely\xc2\xa0manner,\xc2\xa0as\xc2\xa0specified\xc2\xa0in\xc2\xa0\n                            organization\xc2\xa0policy\xc2\xa0or\xc2\xa0standards,\xc2\xa0to\xc2\xa0minimize\xc2\xa0further\xc2\xa0damage\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0\n                            800\xe2\x80\x9061,\xc2\xa0and\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9007\xe2\x80\x9016,\xc2\xa0M\xe2\x80\x9006\xe2\x80\x9019).\xc2\xa0(KFM)\xc2\xa0\n                  4.1.6. Is\xc2\xa0capable\xc2\xa0of\xc2\xa0tracking\xc2\xa0and\xc2\xa0managing\xc2\xa0risks\xc2\xa0in\xc2\xa0a\xc2\xa0virtual/cloud\xc2\xa0environment,\xc2\xa0if\xc2\xa0\n                         applicable.\xc2\xa0(Base)\xc2\xa0\n                  4.1.7. Is\xc2\xa0capable\xc2\xa0of\xc2\xa0correlating\xc2\xa0incidents.\xc2\xa0(Base)\xc2\xa0\n                  4.1.8. There\xc2\xa0is\xc2\xa0sufficient\xc2\xa0incident\xc2\xa0monitoring\xc2\xa0and\xc2\xa0detection\xc2\xa0coverage\xc2\xa0in\xc2\xa0accordance\xc2\xa0\n                            with\xc2\xa0Government\xc2\xa0policies\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0800\xe2\x80\x9061,\xc2\xa0and\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9007\xe2\x80\x9016,\xc2\xa0M\xe2\x80\x9006\xe2\x80\x9019).\xc2\xa0\n                            (Base)\xc2\xa0\n         4.2.     Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                  incident\xc2\xa0management\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\n\n\n\n2\n  This is done, of course, by establishing a process to assign attributes to a digital identity and by connecting an\nindividual to that identity. However, this would be pointless without subsequently using it to control access.\n                                                                                                                Page 20\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   Given\xc2\xa0real\xc2\xa0world\xc2\xa0realities,\xc2\xa0it\xc2\xa0is\xc2\xa0reasonable\xc2\xa0to\xc2\xa0expect\xc2\xa0that\xc2\xa0some\xc2\xa0attacks\xc2\xa0will\xc2\xa0succeed.\xc2\xa0\xc2\xa0\n         Organizations\xc2\xa0need\xc2\xa0to\xc2\xa0be\xc2\xa0able\xc2\xa0to\xc2\xa0detect\xc2\xa0those\xc2\xa0attacks.\xc2\xa0\xc2\xa0Ideally,\xc2\xa0organizations\xc2\xa0would\xc2\xa0defend\xc2\xa0\n         against\xc2\xa0those\xc2\xa0attacks\xc2\xa0in\xc2\xa0real\xc2\xa0time;\xc2\xa0but\xc2\xa0at\xc2\xa0a\xc2\xa0minimum,\xc2\xa0organizations\xc2\xa0are\xc2\xa0expected\xc2\xa0to\xc2\xa0determine\xc2\xa0\n         the\xc2\xa0kinds\xc2\xa0of\xc2\xa0attacks\xc2\xa0that\xc2\xa0are\xc2\xa0most\xc2\xa0successful.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   This\xc2\xa0allows\xc2\xa0the\xc2\xa0organization\xc2\xa0to\xc2\xa0use\xc2\xa0this\xc2\xa0information\xc2\xa0about\xc2\xa0successful\xc2\xa0attacks\xc2\xa0and\xc2\xa0their\xc2\xa0impact\xc2\xa0to\xc2\xa0\n         make\xc2\xa0informed\xc2\xa0risk\xe2\x80\x90based\xc2\xa0decisions\xc2\xa0about\xc2\xa0where\xc2\xa0it\xc2\xa0is\xc2\xa0most\xc2\xa0cost\xc2\xa0effective\xc2\xa0and\xc2\xa0essential\xc2\xa0to\xc2\xa0focus\xc2\xa0\n         security\xc2\xa0resources.\xc2\xa0\xc2\xa0\n\n5.       RISK\tMANAGEMENT\xc2\xa0\n         5.1.    Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0a\xc2\xa0risk\xc2\xa0management\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0consistent\xc2\xa0with\xc2\xa0\n                 FISMA\xc2\xa0requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0\n                 improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0\n                 program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                 5.1.1. Documented\xc2\xa0and\xc2\xa0centrally\xc2\xa0accessible\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0risk\xc2\xa0\n                         management,\xc2\xa0including\xc2\xa0descriptions\xc2\xa0of\xc2\xa0the\xc2\xa0roles\xc2\xa0and\xc2\xa0responsibilities\xc2\xa0of\xc2\xa0\n                         participants\xc2\xa0in\xc2\xa0this\xc2\xa0process.\xc2\xa0(Base)\xc2\xa0\n                 5.1.2. Addresses\xc2\xa0risk\xc2\xa0from\xc2\xa0an\xc2\xa0organization\xc2\xa0perspective\xc2\xa0with\xc2\xa0the\xc2\xa0development\xc2\xa0of\xc2\xa0a\xc2\xa0\n                         comprehensive\xc2\xa0governance\xc2\xa0structure\xc2\xa0and\xc2\xa0organization\xe2\x80\x90wide\xc2\xa0risk\xc2\xa0management\xc2\xa0\n                         strategy\xc2\xa0as\xc2\xa0described\xc2\xa0in\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9037,\xc2\xa0Rev.\xc2\xa01.\xc2\xa0(Base)\xc2\xa0\n                 5.1.3. Addresses\xc2\xa0risk\xc2\xa0from\xc2\xa0a\xc2\xa0mission\xc2\xa0and\xc2\xa0business\xc2\xa0process\xc2\xa0perspective\xc2\xa0and\xc2\xa0is\xc2\xa0guided\xc2\xa0by\xc2\xa0\n                         the\xc2\xa0risk\xc2\xa0decisions\xc2\xa0at\xc2\xa0the\xc2\xa0organizational\xc2\xa0perspective,\xc2\xa0as\xc2\xa0described\xc2\xa0in\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9037,\xc2\xa0\n                         Rev.\xc2\xa01.\xc2\xa0(Base)\xc2\xa0\n                 5.1.4. Addresses\xc2\xa0risk\xc2\xa0from\xc2\xa0an\xc2\xa0information\xc2\xa0system\xc2\xa0perspective\xc2\xa0and\xc2\xa0is\xc2\xa0guided\xc2\xa0by\xc2\xa0the\xc2\xa0risk\xc2\xa0\n                         decisions\xc2\xa0at\xc2\xa0the\xc2\xa0organizational\xc2\xa0perspective\xc2\xa0and\xc2\xa0the\xc2\xa0mission\xc2\xa0and\xc2\xa0business\xc2\xa0\n                         perspective,\xc2\xa0as\xc2\xa0described\xc2\xa0in\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9037,\xc2\xa0Rev.\xc2\xa01.\xc2\xa0(Base)\xc2\xa0\n                 5.1.5. Categorizes\xc2\xa0information\xc2\xa0systems\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0Government\xc2\xa0policies.\xc2\xa0\n                        (Base)\xc2\xa0\n                 5.1.6. Selects\xc2\xa0an\xc2\xa0appropriately\xc2\xa0tailored\xc2\xa0set\xc2\xa0of\xc2\xa0baseline\xc2\xa0security\xc2\xa0controls.\xc2\xa0(Base)\xc2\xa0\n                 5.1.7. Implements\xc2\xa0the\xc2\xa0tailored\xc2\xa0set\xc2\xa0of\xc2\xa0baseline\xc2\xa0security\xc2\xa0controls\xc2\xa0and\xc2\xa0describes\xc2\xa0how\xc2\xa0the\xc2\xa0\n                         controls\xc2\xa0are\xc2\xa0employed\xc2\xa0within\xc2\xa0the\xc2\xa0information\xc2\xa0system\xc2\xa0and\xc2\xa0its\xc2\xa0environment\xc2\xa0of\xc2\xa0\n                         operation.\xc2\xa0(Base)\xc2\xa0\n                 5.1.8. Assesses\xc2\xa0the\xc2\xa0security\xc2\xa0controls\xc2\xa0using\xc2\xa0appropriate\xc2\xa0assessment\xc2\xa0procedures\xc2\xa0to\xc2\xa0\n                         determine\xc2\xa0the\xc2\xa0extent\xc2\xa0to\xc2\xa0which\xc2\xa0the\xc2\xa0controls\xc2\xa0are\xc2\xa0implemented\xc2\xa0correctly,\xc2\xa0\n\n                                                                                                    Page 21\n\x0c                  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n               Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                        operating\xc2\xa0as\xc2\xa0intended,\xc2\xa0and\xc2\xa0producing\xc2\xa0the\xc2\xa0desired\xc2\xa0outcome\xc2\xa0with\xc2\xa0respect\xc2\xa0to\xc2\xa0\n                        meeting\xc2\xa0the\xc2\xa0security\xc2\xa0requirements\xc2\xa0for\xc2\xa0the\xc2\xa0system.\xc2\xa0(Base)\xc2\xa0\n                5.1.9. Authorizes\xc2\xa0information\xc2\xa0system\xc2\xa0operation\xc2\xa0based\xc2\xa0on\xc2\xa0a\xc2\xa0determination\xc2\xa0of\xc2\xa0the\xc2\xa0risk\xc2\xa0\n                        to\xc2\xa0organizational\xc2\xa0operations\xc2\xa0and\xc2\xa0assets,\xc2\xa0individuals,\xc2\xa0other\xc2\xa0organizations,\xc2\xa0and\xc2\xa0\n                        the\xc2\xa0Nation\xc2\xa0resulting\xc2\xa0from\xc2\xa0the\xc2\xa0operation\xc2\xa0of\xc2\xa0the\xc2\xa0information\xc2\xa0system\xc2\xa0and\xc2\xa0the\xc2\xa0\n                        decision\xc2\xa0that\xc2\xa0this\xc2\xa0risk\xc2\xa0is\xc2\xa0acceptable.\xc2\xa0(Base)\xc2\xa0\n                5.1.10. Ensures\xc2\xa0information\xc2\xa0security\xc2\xa0controls\xc2\xa0are\xc2\xa0monitored\xc2\xa0on\xc2\xa0an\xc2\xa0ongoing\xc2\xa0basis,\xc2\xa0\n                        including\xc2\xa0assessing\xc2\xa0control\xc2\xa0effectiveness,\xc2\xa0documenting\xc2\xa0changes\xc2\xa0to\xc2\xa0the\xc2\xa0system\xc2\xa0or\xc2\xa0\n                        its\xc2\xa0environment\xc2\xa0of\xc2\xa0operation,\xc2\xa0conducting\xc2\xa0security\xc2\xa0impact\xc2\xa0analyses\xc2\xa0of\xc2\xa0the\xc2\xa0\n                        associated\xc2\xa0changes,\xc2\xa0and\xc2\xa0reporting\xc2\xa0the\xc2\xa0security\xc2\xa0state\xc2\xa0of\xc2\xa0the\xc2\xa0system\xc2\xa0to\xc2\xa0designated\xc2\xa0\n                        organizational\xc2\xa0officials.\xc2\xa0(Base)\xc2\xa0\n                5.1.11. Information\xc2\xa0system\xc2\xa0specific\xc2\xa0risks\xc2\xa0(tactical),\xc2\xa0mission/business\xc2\xa0specific\xc2\xa0risks,\xc2\xa0and\xc2\xa0\n                        organizational\xc2\xa0level\xc2\xa0(strategic)\xc2\xa0risks\xc2\xa0are\xc2\xa0communicated\xc2\xa0to\xc2\xa0appropriate\xc2\xa0levels\xc2\xa0of\xc2\xa0\n                        the\xc2\xa0organization.\xc2\xa0(Base)\xc2\xa0\n                5.1.12. Senior\xc2\xa0officials\xc2\xa0are\xc2\xa0briefed\xc2\xa0on\xc2\xa0threat\xc2\xa0activity\xc2\xa0on\xc2\xa0a\xc2\xa0regular\xc2\xa0basis\xc2\xa0by\xc2\xa0appropriate\xc2\xa0\n                        personnel\xc2\xa0(e.g.,\xc2\xa0CISO).\xc2\xa0(Base)\xc2\xa0\n                5.1.13. Prescribes\xc2\xa0the\xc2\xa0active\xc2\xa0involvement\xc2\xa0of\xc2\xa0information\xc2\xa0system\xc2\xa0owners\xc2\xa0and\xc2\xa0common\xc2\xa0\n                        control\xc2\xa0providers,\xc2\xa0Chief\xc2\xa0Information\xc2\xa0Officers,\xc2\xa0senior\xc2\xa0information\xc2\xa0security\xc2\xa0\n                        officers,\xc2\xa0authorizing\xc2\xa0officials,\xc2\xa0and\xc2\xa0other\xc2\xa0roles\xc2\xa0as\xc2\xa0applicable\xc2\xa0in\xc2\xa0the\xc2\xa0ongoing\xc2\xa0\n                        management\xc2\xa0of\xc2\xa0information\xc2\xa0system\xe2\x80\x90related\xc2\xa0security\xc2\xa0risks.\xc2\xa0(Base)\xc2\xa0\n                5.1.14. Security\xc2\xa0authorization\xc2\xa0package\xc2\xa0contains\xc2\xa0system\xc2\xa0security\xc2\xa0plan,\xc2\xa0security\xc2\xa0\n                        assessment\xc2\xa0report,\xc2\xa0and\xc2\xa0POA&M\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0Government\xc2\xa0policies\xc2\xa0\n                        (NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9018,\xc2\xa0SP\xc2\xa0800\xe2\x80\x9037).\xc2\xa0(Base)\xc2\xa0\n                5.1.15. Security\xc2\xa0authorization\xc2\xa0package\xc2\xa0contains\xc2\xa0accreditation\xc2\xa0boundaries\xc2\xa0for\xc2\xa0\n                        organization\xc2\xa0information\xc2\xa0systems\xc2\xa0defined\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0Government\xc2\xa0\n                        policies.\xc2\xa0(Base)\xc2\xa0\n        5.2.    Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0risk\xc2\xa0\n                management\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use:\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n    \xef\x82\xb7   One\xc2\xa0goal\xc2\xa0in\xc2\xa0issuing\xc2\xa0these\xc2\xa0FISMA\xc2\xa0questions\xc2\xa0is\xc2\xa0to\xc2\xa0further\xc2\xa0empower\xc2\xa0OIGs\xc2\xa0to\xc2\xa0focus\xc2\xa0on\xc2\xa0how\xc2\xa0agencies\xc2\xa0\n        are\xc2\xa0evaluating\xc2\xa0risk\xc2\xa0and\xc2\xa0prioritizing\xc2\xa0security\xc2\xa0issues.\xc2\xa0\xc2\xa0\n    \xef\x82\xb7   OIGs\xc2\xa0are\xc2\xa0encouraged\xc2\xa0to\xc2\xa0use\xc2\xa0a\xc2\xa0type\xc2\xa0of\xc2\xa0risk\xc2\xa0analysis\xc2\xa0as\xc2\xa0specified\xc2\xa0in\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9039\xc2\xa0to\xc2\xa0evaluate\xc2\xa0\n        findings\xc2\xa0and\xc2\xa0compare\xc2\xa0those\xc2\xa0to\xc2\xa0(1)\xc2\xa0existing\xc2\xa0organization\xc2\xa0priorities\xc2\xa0and\xc2\xa0(2)\xc2\xa0Administration\xc2\xa0\n\n\n                                                                                                    Page 22\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n         priorities\xc2\xa0and\xc2\xa0key\xc2\xa0FISMA\xc2\xa0metrics\xc2\xa0identified\xc2\xa0in\xc2\xa0the\xc2\xa0CIO\xc2\xa0metrics\xc2\xa0to\xc2\xa0determine\xc2\xa0areas\xc2\xa0of\xc2\xa0weakness\xc2\xa0\n         and\xc2\xa0highlight\xc2\xa0the\xc2\xa0significance\xc2\xa0of\xc2\xa0security\xc2\xa0issues.\xc2\xa0\xc2\xa0\n\n6.       SECURITY\tTRAINING\xc2\xa0\n         6.1.    Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0a\xc2\xa0security\xc2\xa0training\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0consistent\xc2\xa0with\xc2\xa0\n                 FISMA\xc2\xa0requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0\n                 improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0\n                 program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                 6.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0security\xc2\xa0awareness\xc2\xa0training\xc2\xa0\n                        (NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0AT\xe2\x80\x901).\xc2\xa0(Base)\xc2\xa0\n                 6.1.2. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0specialized\xc2\xa0training\xc2\xa0for\xc2\xa0users\xc2\xa0with\xc2\xa0\n                        significant\xc2\xa0information\xc2\xa0security\xc2\xa0responsibilities.\xc2\xa0(Base)\xc2\xa0\n                 6.1.3. Security\xc2\xa0training\xc2\xa0content\xc2\xa0based\xc2\xa0on\xc2\xa0the\xc2\xa0organization\xc2\xa0and\xc2\xa0roles,\xc2\xa0as\xc2\xa0specified\xc2\xa0in\xc2\xa0\n                        organization\xc2\xa0policy\xc2\xa0or\xc2\xa0standards.\xc2\xa0(Base)\xc2\xa0\n                 6.1.4. Identification\xc2\xa0and\xc2\xa0tracking\xc2\xa0of\xc2\xa0the\xc2\xa0status\xc2\xa0of\xc2\xa0security\xc2\xa0awareness\xc2\xa0training\xc2\xa0for\xc2\xa0all\xc2\xa0\n                         personnel\xc2\xa0(including\xc2\xa0employees,\xc2\xa0contractors,\xc2\xa0and\xc2\xa0other\xc2\xa0organization\xc2\xa0users)\xc2\xa0with\xc2\xa0\n                         access\xc2\xa0privileges\xc2\xa0that\xc2\xa0require\xc2\xa0security\xc2\xa0awareness\xc2\xa0training.\xc2\xa0(KFM)\xc2\xa0\n                 6.1.5. Identification\xc2\xa0and\xc2\xa0tracking\xc2\xa0of\xc2\xa0the\xc2\xa0status\xc2\xa0of\xc2\xa0specialized\xc2\xa0training\xc2\xa0for\xc2\xa0all\xc2\xa0personnel\xc2\xa0\n                         (including\xc2\xa0employees,\xc2\xa0contractors,\xc2\xa0and\xc2\xa0other\xc2\xa0organization\xc2\xa0users)\xc2\xa0with\xc2\xa0significant\xc2\xa0\n                         information\xc2\xa0security\xc2\xa0responsibilities\xc2\xa0that\xc2\xa0require\xc2\xa0specialized\xc2\xa0training.\xc2\xa0(KFM)\xc2\xa0\n                 6.1.6. Training\xc2\xa0material\xc2\xa0for\xc2\xa0security\xc2\xa0awareness\xc2\xa0training\xc2\xa0does\xc2\xa0not\xc2\xa0contain\xc2\xa0appropriate\xc2\xa0\n                        content\xc2\xa0for\xc2\xa0the\xc2\xa0organization\xc2\xa0(NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9050,\xc2\xa0SP\xc2\xa0800\xe2\x80\x9053).\xc2\xa0(Base)\xc2\xa0\n         6.2.    Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                 security\xc2\xa0training\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   Some\xc2\xa0of\xc2\xa0the\xc2\xa0most\xc2\xa0effective\xc2\xa0attacks\xc2\xa0on\xc2\xa0cyber\xe2\x80\x90networks\xc2\xa0world\xe2\x80\x90wide\xc2\xa0currently\xc2\xa0are\xc2\xa0directed\xc2\xa0at\xc2\xa0\n         exploiting\xc2\xa0user\xc2\xa0behavior.\xc2\xa0\xc2\xa0These\xc2\xa0include\xc2\xa0phishing\xc2\xa0attacks,\xc2\xa0social\xc2\xa0engineering\xc2\xa0to\xc2\xa0obtain\xc2\xa0\n         passwords,\xc2\xa0and\xc2\xa0introduction\xc2\xa0of\xc2\xa0malware\xc2\xa0via\xc2\xa0removable\xc2\xa0media.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   These\xc2\xa0threats\xc2\xa0are\xc2\xa0especially\xc2\xa0effective\xc2\xa0when\xc2\xa0directed\xc2\xa0at\xc2\xa0those\xc2\xa0with\xc2\xa0elevated\xc2\xa0network\xc2\xa0privileges\xc2\xa0\n         and/or\xc2\xa0other\xc2\xa0elevated\xc2\xa0cyber\xc2\xa0responsibilities.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   DHS\xc2\xa0has\xc2\xa0determined\xc2\xa0that\xc2\xa0some\xc2\xa0metrics\xc2\xa0in\xc2\xa0this\xc2\xa0section\xc2\xa0are\xc2\xa0prioritized\xc2\xa0as\xc2\xa0Key\xc2\xa0FISMA\xc2\xa0Metrics.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   Some\xc2\xa0questions\xc2\xa0in\xc2\xa0this\xc2\xa0section\xc2\xa0also\xc2\xa0contain\xc2\xa0baseline\xc2\xa0information\xc2\xa0to\xc2\xa0be\xc2\xa0used\xc2\xa0to\xc2\xa0assess\xc2\xa0future\xc2\xa0\n         improvement\xc2\xa0in\xc2\xa0performance.\xc2\xa0\xc2\xa0\n\n                                                                                                    Page 23\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n     \xef\x82\xb7   The\xc2\xa0metrics\xc2\xa0will\xc2\xa0be\xc2\xa0used\xc2\xa0to\xc2\xa0assess\xc2\xa0the\xc2\xa0extent\xc2\xa0to\xc2\xa0which\xc2\xa0organizations\xc2\xa0are\xc2\xa0providing\xc2\xa0adequate\xc2\xa0\n         training\xc2\xa0to\xc2\xa0address\xc2\xa0these\xc2\xa0attacks\xc2\xa0and\xc2\xa0threats.\xc2\xa0\xc2\xa0\n\n7.       PLAN\tOF\tACTION\t&\tMILESTONES\t(POA&M)\xc2\xa0\n         7.1.    Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0a\xc2\xa0POA&M\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0consistent\xc2\xa0with\xc2\xa0FISMA\xc2\xa0\n                 requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines\xc2\xa0and\xc2\xa0tracks\xc2\xa0and\xc2\xa0monitors\xc2\xa0\n                 known\xc2\xa0information\xc2\xa0security\xc2\xa0weaknesses?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0improvement\xc2\xa0opportunities\xc2\xa0\n                 that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0\n                 attributes:\xc2\xa0\n                 7.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0managing\xc2\xa0IT\xc2\xa0security\xc2\xa0weaknesses\xc2\xa0\n                         discovered\xc2\xa0during\xc2\xa0security\xc2\xa0control\xc2\xa0assessments\xc2\xa0and\xc2\xa0requiring\xc2\xa0remediation.\xc2\xa0\n                         (Base)\xc2\xa0\n                 7.1.2. Tracks,\xc2\xa0prioritizes,\xc2\xa0and\xc2\xa0remediates\xc2\xa0weaknesses.\xc2\xa0(Base)\xc2\xa0\n                 7.1.3. Ensures\xc2\xa0remediation\xc2\xa0plans\xc2\xa0are\xc2\xa0effective\xc2\xa0for\xc2\xa0correcting\xc2\xa0weaknesses.\xc2\xa0(Base)\xc2\xa0\n                 7.1.4. Establishes\xc2\xa0and\xc2\xa0adheres\xc2\xa0to\xc2\xa0milestone\xc2\xa0remediation\xc2\xa0dates.\xc2\xa0(Base)\xc2\xa0\n                 7.1.5. Ensures\xc2\xa0resources\xc2\xa0are\xc2\xa0provided\xc2\xa0for\xc2\xa0correcting\xc2\xa0weaknesses.\xc2\xa0(Base)\xc2\xa0\n                 7.1.6. POA&Ms\xc2\xa0include\xc2\xa0security\xc2\xa0weaknesses\xc2\xa0discovered\xc2\xa0during\xc2\xa0assessments\xc2\xa0of\xc2\xa0security\xc2\xa0\n                         controls\xc2\xa0and\xc2\xa0requiring\xc2\xa0remediation.\xc2\xa0\xc2\xa0(Do\xc2\xa0not\xc2\xa0need\xc2\xa0to\xc2\xa0include\xc2\xa0security\xc2\xa0weakness\xc2\xa0\n                         due\xc2\xa0to\xc2\xa0a\xc2\xa0risk\xe2\x80\x90based\xc2\xa0decision\xc2\xa0to\xc2\xa0not\xc2\xa0implement\xc2\xa0a\xc2\xa0security\xc2\xa0control)\xc2\xa0\n                         (OMB\xc2\xa0M\xe2\x80\x9004\xe2\x80\x9025).\xc2\xa0(Base)\xc2\xa0\n                 7.1.7. Costs\xc2\xa0associated\xc2\xa0with\xc2\xa0remediating\xc2\xa0weaknesses\xc2\xa0are\xc2\xa0identified\xc2\xa0(NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9053,\xc2\xa0\n                        Rev.\xc2\xa03,\xc2\xa0Control\xc2\xa0PM\xe2\x80\x903\xc2\xa0and\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9004\xe2\x80\x9025).\xc2\xa0(Base)\xc2\xa0\n                 7.1.8. Program\xc2\xa0officials\xc2\xa0and\xc2\xa0contractors\xc2\xa0report\xc2\xa0progress\xc2\xa0on\xc2\xa0remediation\xc2\xa0to\xc2\xa0CIO\xc2\xa0on\xc2\xa0a\xc2\xa0\n                         regular\xc2\xa0basis,\xc2\xa0at\xc2\xa0least\xc2\xa0quarterly,\xc2\xa0and\xc2\xa0the\xc2\xa0CIO\xc2\xa0centrally\xc2\xa0tracks,\xc2\xa0maintains,\xc2\xa0and\xc2\xa0\n                         independently\xc2\xa0reviews/validates\xc2\xa0the\xc2\xa0POA&M\xc2\xa0activities\xc2\xa0at\xc2\xa0least\xc2\xa0quarterly\xc2\xa0\n                         (NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9053,\xc2\xa0Rev.\xc2\xa03,\xc2\xa0Control\xc2\xa0CA\xe2\x80\x905,\xc2\xa0and\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9004\xe2\x80\x9025).\xc2\xa0(Base)\xc2\xa0\n         7.2.    Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                 POA&M\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   POA&M\xc2\xa0processes\xc2\xa0are\xc2\xa0important\xc2\xa0as\xc2\xa0part\xc2\xa0of\xc2\xa0the\xc2\xa0risk\xc2\xa0management\xc2\xa0process\xc2\xa0to\xc2\xa0track\xc2\xa0problems\xc2\xa0and\xc2\xa0\n         to\xc2\xa0decide\xc2\xa0which\xc2\xa0ones\xc2\xa0to\xc2\xa0address.\xc2\xa0\xc2\xa0\n\n\n\n\n                                                                                                    Page 24\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\n8.       REMOTE\tACCESS\tMANAGEMENT\xc2\xa0\n         8.1.    Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0a\xc2\xa0remote\xc2\xa0access\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0consistent\xc2\xa0with\xc2\xa0FISMA\xc2\xa0\n                 requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0\n                 improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0\n                 program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                 8.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0authorizing,\xc2\xa0monitoring,\xc2\xa0and\xc2\xa0\n                         controlling\xc2\xa0all\xc2\xa0methods\xc2\xa0of\xc2\xa0remote\xc2\xa0access\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0AC\xe2\x80\x901,\xc2\xa0AC\xe2\x80\x9017).\xc2\xa0(Base)\xc2\xa0\n                 8.1.2. Protects\xc2\xa0against\xc2\xa0unauthorized\xc2\xa0connections\xc2\xa0or\xc2\xa0subversion\xc2\xa0of\xc2\xa0authorized\xc2\xa0\n                        connections.\xc2\xa0(Base)\xc2\xa0\n                 8.1.3. Users\xc2\xa0are\xc2\xa0uniquely\xc2\xa0identified\xc2\xa0and\xc2\xa0authenticated\xc2\xa0for\xc2\xa0all\xc2\xa0access\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9046,\xc2\xa0\n                        Section\xc2\xa04.2,\xc2\xa0Section\xc2\xa05.1).\xc2\xa0(Base)\xc2\xa0\n                 8.1.4. Telecommuting\xc2\xa0policy\xc2\xa0is\xc2\xa0fully\xc2\xa0developed\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9046,\xc2\xa0Section\xc2\xa05.1).\xc2\xa0(Base)\xc2\xa0\n                 8.1.5. If\xc2\xa0applicable,\xc2\xa0multifactor\xc2\xa0authentication\xc2\xa0is\xc2\xa0required\xc2\xa0for\xc2\xa0remote\xc2\xa0access\xc2\xa0\n                        (NIST\xc2\xa0800\xe2\x80\x9046,\xc2\xa0Section\xc2\xa02.2,\xc2\xa0Section\xc2\xa03.3).\xc2\xa0(KFM)\xc2\xa0\n                 8.1.6. Authentication\xc2\xa0mechanisms\xc2\xa0meet\xc2\xa0NIST\xc2\xa0Special\xc2\xa0Publication\xc2\xa0800\xe2\x80\x9063\xc2\xa0guidance\xc2\xa0on\xc2\xa0\n                        remote\xc2\xa0electronic\xc2\xa0authentication,\xc2\xa0including\xc2\xa0strength\xc2\xa0mechanisms.\xc2\xa0(Base)\xc2\xa0\n                 8.1.7. Defines\xc2\xa0and\xc2\xa0implements\xc2\xa0encryption\xc2\xa0requirements\xc2\xa0for\xc2\xa0information\xc2\xa0transmitted\xc2\xa0\n                        across\xc2\xa0public\xc2\xa0networks.\xc2\xa0(KFM)\xc2\xa0\n                 8.1.8. Remote\xc2\xa0access\xc2\xa0sessions,\xc2\xa0in\xc2\xa0accordance\xc2\xa0to\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9007\xe2\x80\x9016,\xc2\xa0are\xc2\xa0timed\xc2\xa0out\xc2\xa0after\xc2\xa0\n                        30\xc2\xa0minutes\xc2\xa0of\xc2\xa0inactivity,\xc2\xa0after\xc2\xa0which\xc2\xa0reauthentication\xc2\xa0is\xc2\xa0required.\xc2\xa0(Base)\xc2\xa0\n                 8.1.9. Lost\xc2\xa0or\xc2\xa0stolen\xc2\xa0devices\xc2\xa0are\xc2\xa0disabled\xc2\xa0and\xc2\xa0appropriately\xc2\xa0reported\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9046,\xc2\xa0\n                        Section\xc2\xa04.3,\xc2\xa0US\xe2\x80\x90CERT\xc2\xa0Incident\xc2\xa0Reporting\xc2\xa0Guidelines).\xc2\xa0(Base)\xc2\xa0\n                 8.1.10. Remote\xc2\xa0access\xc2\xa0rules\xc2\xa0of\xc2\xa0behavior\xc2\xa0are\xc2\xa0adequate\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0Government\xc2\xa0\n                         policies\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0PL\xe2\x80\x904).\xc2\xa0(Base)\xc2\xa0\n                 8.1.11. Remote\xc2\xa0access\xc2\xa0user\xc2\xa0agreements\xc2\xa0are\xc2\xa0adequate\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0Government\xc2\xa0\n                         policies\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9046,\xc2\xa0Section\xc2\xa05.1,\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0PS\xe2\x80\x906).\xc2\xa0(Base)\xc2\xa0\n         8.2.    Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                 remote\xc2\xa0access\xc2\xa0management\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   Adequate\xc2\xa0control\xc2\xa0of\xc2\xa0remote\xc2\xa0connections\xc2\xa0is\xc2\xa0a\xc2\xa0critical\xc2\xa0part\xc2\xa0of\xc2\xa0boundary\xc2\xa0protection.\xc2\xa0\xc2\xa0\n\n\n\n                                                                                                   Page 25\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n     \xef\x82\xb7   Attackers\xc2\xa0exploit\xc2\xa0boundary\xc2\xa0systems\xc2\xa0on\xc2\xa0Internet\xe2\x80\x90accessible\xc2\xa0DMZ\xc2\xa0networks\xc2\xa0(and\xc2\xa0on\xc2\xa0internal\xc2\xa0\n         network\xc2\xa0boundaries)\xc2\xa0and\xc2\xa0then\xc2\xa0pivot\xc2\xa0to\xc2\xa0gain\xc2\xa0deeper\xc2\xa0access\xc2\xa0on\xc2\xa0internal\xc2\xa0networks.\xc2\xa0\xc2\xa0Responses\xc2\xa0to\xc2\xa0\n         the\xc2\xa0above\xc2\xa0questions\xc2\xa0will\xc2\xa0help\xc2\xa0agencies\xc2\xa0deter,\xc2\xa0detect,\xc2\xa0and\xc2\xa0defend\xc2\xa0against\xc2\xa0unauthorized\xc2\xa0network\xc2\xa0\n         connections/access\xc2\xa0to\xc2\xa0internal\xc2\xa0and\xc2\xa0external\xc2\xa0networks.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   Remote\xc2\xa0connections\xc2\xa0allow\xc2\xa0users\xc2\xa0to\xc2\xa0access\xc2\xa0the\xc2\xa0network\xc2\xa0without\xc2\xa0gaining\xc2\xa0physical\xc2\xa0access\xc2\xa0to\xc2\xa0\n         organization\xc2\xa0space\xc2\xa0and\xc2\xa0the\xc2\xa0computers\xc2\xa0hosted\xc2\xa0there.\xc2\xa0\xc2\xa0Moreover,\xc2\xa0the\xc2\xa0connections\xc2\xa0over\xc2\xa0the\xc2\xa0\n         Internet\xc2\xa0provide\xc2\xa0opportunities\xc2\xa0for\xc2\xa0compromise\xc2\xa0of\xc2\xa0information\xc2\xa0in\xc2\xa0transit.\xc2\xa0\xc2\xa0Because\xc2\xa0these\xc2\xa0\n         connections\xc2\xa0are\xc2\xa0beyond\xc2\xa0physical\xc2\xa0security\xc2\xa0controls,\xc2\xa0they\xc2\xa0need\xc2\xa0compensating\xc2\xa0controls\xc2\xa0to\xc2\xa0ensure\xc2\xa0\n         that\xc2\xa0only\xc2\xa0properly\xc2\xa0identified\xc2\xa0and\xc2\xa0authenticated\xc2\xa0users\xc2\xa0gain\xc2\xa0access\xc2\xa0and\xc2\xa0that\xc2\xa0the\xc2\xa0connections\xc2\xa0\n         prevent\xc2\xa0hijacking\xc2\xa0by\xc2\xa0others.\xc2\xa0\xc2\xa0\n\n9.       CONTINGENCY\tPLANNING\xc2\xa0\n         9.1.   Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0an\xc2\xa0enterprise\xe2\x80\x90wide\xc2\xa0business\xc2\xa0continuity/disaster\xc2\xa0\n                recovery\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0consistent\xc2\xa0with\xc2\xa0FISMA\xc2\xa0requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0\n                applicable\xc2\xa0NIST\xc2\xa0guidelines?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0\n                have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                9.1.1. Documented\xc2\xa0business\xc2\xa0continuity\xc2\xa0and\xc2\xa0disaster\xc2\xa0recovery\xc2\xa0policy\xc2\xa0providing\xc2\xa0the\xc2\xa0\n                        authority\xc2\xa0and\xc2\xa0guidance\xc2\xa0necessary\xc2\xa0to\xc2\xa0reduce\xc2\xa0the\xc2\xa0impact\xc2\xa0of\xc2\xa0a\xc2\xa0disruptive\xc2\xa0event\xc2\xa0or\xc2\xa0\n                        disaster\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0CP\xe2\x80\x901).\xc2\xa0(Base)\xc2\xa0\n                9.1.2. The\xc2\xa0organization\xc2\xa0has\xc2\xa0performed\xc2\xa0an\xc2\xa0overall\xc2\xa0Business\xc2\xa0Impact\xc2\xa0Analysis\xc2\xa0(BIA)\xc2\xa0\n                       (NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034).\xc2\xa0(Base)\xc2\xa0\n                9.1.3. Development\xc2\xa0and\xc2\xa0documentation\xc2\xa0of\xc2\xa0division,\xc2\xa0component,\xc2\xa0and\xc2\xa0IT\xc2\xa0infrastructure\xc2\xa0\n                       recovery\xc2\xa0strategies,\xc2\xa0plans,\xc2\xa0and\xc2\xa0procedures\xc2\xa0(NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034).\xc2\xa0(Base)\xc2\xa0\n                9.1.4. Testing\xc2\xa0of\xc2\xa0system\xe2\x80\x90specific\xc2\xa0contingency\xc2\xa0plans.\xc2\xa0(Base)\xc2\xa0\n                9.1.5. The\xc2\xa0documented\xc2\xa0business\xc2\xa0continuity\xc2\xa0and\xc2\xa0disaster\xc2\xa0recovery\xc2\xa0plans\xc2\xa0are\xc2\xa0in\xc2\xa0place\xc2\xa0\n                       and\xc2\xa0can\xc2\xa0be\xc2\xa0implemented\xc2\xa0when\xc2\xa0necessary\xc2\xa0(FCD1,\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034).\xc2\xa0(Base)\xc2\xa0\n                9.1.6. Development\xc2\xa0and\xc2\xa0fully\xc2\xa0implementable\xc2\xa0of\xc2\xa0test,\xc2\xa0training,\xc2\xa0and\xc2\xa0exercise\xc2\xa0(TT&E)\xc2\xa0\n                       programs\xc2\xa0(FCD1,\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034,\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9053).\xc2\xa0(Base)\xc2\xa0\n                9.1.7. Performance\xc2\xa0of\xc2\xa0regular\xc2\xa0ongoing\xc2\xa0testing\xc2\xa0or\xc2\xa0exercising\xc2\xa0of\xc2\xa0business\xc2\xa0continuity/\xc2\xa0\n                        disaster\xc2\xa0recovery\xc2\xa0plans\xc2\xa0to\xc2\xa0determine\xc2\xa0effectiveness\xc2\xa0and\xc2\xa0to\xc2\xa0maintain\xc2\xa0current\xc2\xa0\n                        plans.\xc2\xa0(Base)\xc2\xa0\n                9.1.8. After\xe2\x80\x90action\xc2\xa0report\xc2\xa0that\xc2\xa0addresses\xc2\xa0issues\xc2\xa0identified\xc2\xa0during\xc2\xa0contingency/disaster\xc2\xa0\n                       recovery\xc2\xa0exercises\xc2\xa0(FCD1,\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034).\xc2\xa0(Base)\xc2\xa0\n                9.1.9. Systems\xc2\xa0that\xc2\xa0have\xc2\xa0alternate\xc2\xa0processing\xc2\xa0sites\xc2\xa0(FCD1,\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034,\xc2\xa0\n                       NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9053).\xc2\xa0(Base)\xc2\xa0\n\n                                                                                                Page 26\n\x0c                  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n               Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                9.1.10. Alternate\xc2\xa0processing\xc2\xa0sites\xc2\xa0are\xc2\xa0subject\xc2\xa0to\xc2\xa0the\xc2\xa0same\xc2\xa0risks\xc2\xa0as\xc2\xa0primary\xc2\xa0sites\xc2\xa0(FCD1,\xc2\xa0\n                        NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034,\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9053).\xc2\xa0\n                9.1.11. Backups\xc2\xa0of\xc2\xa0information\xc2\xa0that\xc2\xa0are\xc2\xa0performed\xc2\xa0in\xc2\xa0a\xc2\xa0timely\xc2\xa0manner\xc2\xa0(FCD1,\xc2\xa0\n                        NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034,\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9053).\xc2\xa0(Base)\xc2\xa0\n                9.1.12. Contingency\xc2\xa0planning\xc2\xa0that\xc2\xa0considers\xc2\xa0supply\xc2\xa0chain\xc2\xa0threats.\xc2\xa0(Base)\xc2\xa0\n        9.2.    Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                contingency\xc2\xa0planning\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n    \xef\x82\xb7   Contingency\xc2\xa0planning\xc2\xa0deals\xc2\xa0with\xc2\xa0risks\xc2\xa0which\xc2\xa0occur\xc2\xa0rarely.\xc2\xa0\xc2\xa0As\xc2\xa0such,\xc2\xa0there\xc2\xa0is\xc2\xa0a\xc2\xa0temptation\xc2\xa0to\xc2\xa0\n        ignore\xc2\xa0these\xc2\xa0risks.\xc2\xa0\xc2\xa0\n    \xef\x82\xb7   The\xc2\xa0purpose\xc2\xa0of\xc2\xa0this\xc2\xa0section\xc2\xa0is\xc2\xa0to\xc2\xa0determine\xc2\xa0if\xc2\xa0the\xc2\xa0organization\xc2\xa0is\xc2\xa0giving\xc2\xa0adequate\xc2\xa0attention\xc2\xa0to\xc2\xa0\n        the\xc2\xa0rare\xc2\xa0events\xc2\xa0which\xc2\xa0have\xc2\xa0such\xc2\xa0significant\xc2\xa0consequences\xc2\xa0that\xc2\xa0they\xc2\xa0become\xc2\xa0first\xe2\x80\x90priority\xc2\xa0risks.\xc2\xa0\xc2\xa0\n\n10.     CONTRACTOR\tSYSTEMS\xc2\xa0\n        10.1. Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0a\xc2\xa0program\xc2\xa0to\xc2\xa0oversee\xc2\xa0systems\xc2\xa0operated\xc2\xa0on\xc2\xa0its\xc2\xa0behalf\xc2\xa0\n                by\xc2\xa0contractors\xc2\xa0or\xc2\xa0other\xc2\xa0entities,\xc2\xa0including\xc2\xa0organization\xc2\xa0systems\xc2\xa0and\xc2\xa0services\xc2\xa0residing\xc2\xa0in\xc2\xa0\n                the\xc2\xa0cloud\xc2\xa0external\xc2\xa0to\xc2\xa0the\xc2\xa0organization?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0improvement\xc2\xa0opportunities\xc2\xa0\n                that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0program\xc2\xa0includes\xc2\xa0the\xc2\xa0following\xc2\xa0\n                attributes:\xc2\xa0\n                10.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0information\xc2\xa0security\xc2\xa0oversight\xc2\xa0of\xc2\xa0\n                        systems\xc2\xa0operated\xc2\xa0on\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0behalf\xc2\xa0by\xc2\xa0contractors\xc2\xa0or\xc2\xa0other\xc2\xa0entities,\xc2\xa0\n                        including\xc2\xa0organization\xc2\xa0systems\xc2\xa0and\xc2\xa0services\xc2\xa0residing\xc2\xa0in\xc2\xa0public\xc2\xa0cloud.\xc2\xa0(Base)\xc2\xa0\n                10.1.2. The\xc2\xa0organization\xc2\xa0obtains\xc2\xa0sufficient\xc2\xa0assurance\xc2\xa0that\xc2\xa0security\xc2\xa0controls\xc2\xa0of\xc2\xa0such\xc2\xa0\n                        systems\xc2\xa0and\xc2\xa0services\xc2\xa0are\xc2\xa0effectively\xc2\xa0implemented\xc2\xa0and\xc2\xa0comply\xc2\xa0with\xc2\xa0Federal\xc2\xa0and\xc2\xa0\n                        organization\xc2\xa0guidelines.\xc2\xa0(Base)\xc2\xa0\n                10.1.3. A\xc2\xa0complete\xc2\xa0inventory\xc2\xa0of\xc2\xa0systems\xc2\xa0operated\xc2\xa0on\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0behalf\xc2\xa0by\xc2\xa0\n                        contractors\xc2\xa0or\xc2\xa0other\xc2\xa0entities,\xc2\xa0including\xc2\xa0organization\xc2\xa0systems\xc2\xa0and\xc2\xa0services\xc2\xa0\n                        residing\xc2\xa0in\xc2\xa0public\xc2\xa0cloud.\xc2\xa0(Base)\xc2\xa0\n                10.1.4. The\xc2\xa0inventory\xc2\xa0identifies\xc2\xa0interfaces\xc2\xa0between\xc2\xa0these\xc2\xa0systems\xc2\xa0and\xc2\xa0\n                        organization\xe2\x80\x90operated\xc2\xa0systems\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0PM\xe2\x80\x905).\xc2\xa0(Base)\xc2\xa0\n                10.1.5. The\xc2\xa0organization\xc2\xa0requires\xc2\xa0appropriate\xc2\xa0agreements\xc2\xa0(e.g.,\xc2\xa0MOUs,\xc2\xa0Interconnection\xc2\xa0\n                        Security\xc2\xa0Agreements,\xc2\xa0contracts,\xc2\xa0etc.)\xc2\xa0for\xc2\xa0interfaces\xc2\xa0between\xc2\xa0these\xc2\xa0systems\xc2\xa0and\xc2\xa0\n                        those\xc2\xa0that\xc2\xa0it\xc2\xa0owns\xc2\xa0and\xc2\xa0operates.\xc2\xa0(Base)\xc2\xa0\n\n                                                                                                  Page 27\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\n               10.1.6. The\xc2\xa0inventory\xc2\xa0of\xc2\xa0contractor\xc2\xa0systems\xc2\xa0is\xc2\xa0updated\xc2\xa0at\xc2\xa0least\xc2\xa0annually.\xc2\xa0(Base)\xc2\xa0\n               10.1.7. Systems\xc2\xa0that\xc2\xa0are\xc2\xa0owned\xc2\xa0or\xc2\xa0operated\xc2\xa0by\xc2\xa0contractors\xc2\xa0or\xc2\xa0entities,\xc2\xa0including\xc2\xa0\n                       organization\xc2\xa0systems\xc2\xa0and\xc2\xa0services\xc2\xa0residing\xc2\xa0in\xc2\xa0public\xc2\xa0cloud,\xc2\xa0are\xc2\xa0compliant\xc2\xa0with\xc2\xa0\n                       FISMA\xc2\xa0requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines.\xc2\xa0(Base)\xc2\xa0\n       10.2. Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n             contractor\xc2\xa0systems\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n   \xef\x82\xb7   These\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0because\xc2\xa0in\xc2\xa0the\xc2\xa0past\xc2\xa0some\xc2\xa0Federal\xc2\xa0agencies\xc2\xa0tended\xc2\xa0to\xc2\xa0assume\xc2\xa0\n       that\xc2\xa0they\xc2\xa0were\xc2\xa0not\xc2\xa0responsible\xc2\xa0for\xc2\xa0managing\xc2\xa0the\xc2\xa0risk\xc2\xa0of\xc2\xa0contractor\xc2\xa0systems.\xc2\xa0\xc2\xa0\n   \xef\x82\xb7   The\xc2\xa0key\xc2\xa0question\xc2\xa0is\xc2\xa0\xe2\x80\x9cAre\xc2\xa0these\xc2\xa0contractor\xe2\x80\x90operated\xc2\xa0systems\xc2\xa0being\xc2\xa0managed\xc2\xa0to\xc2\xa0ensure\xc2\xa0that\xc2\xa0they\xc2\xa0\n       have\xc2\xa0adequate\xc2\xa0security\xc2\xa0and\xc2\xa0can\xc2\xa0the\xc2\xa0DAA\xc2\xa0make\xc2\xa0an\xc2\xa0informed\xc2\xa0decision\xc2\xa0about\xc2\xa0whether\xc2\xa0or\xc2\xa0not\xc2\xa0to\xc2\xa0\n       accept\xc2\xa0any\xc2\xa0residual\xc2\xa0risk?\xe2\x80\x9d\xc2\xa0\xc2\xa0\n\n11.    SECURITY\tCAPITAL\tPLANNING\xc2\xa0\n       11.1. Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0a\xc2\xa0security\xc2\xa0capital\xc2\xa0planning\xc2\xa0and\xc2\xa0investment\xc2\xa0program\xc2\xa0for\xc2\xa0\n               information\xc2\xa0security?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0have\xc2\xa0\n               been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n               11.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0to\xc2\xa0address\xc2\xa0information\xc2\xa0security\xc2\xa0in\xc2\xa0the\xc2\xa0\n                       capital\xc2\xa0planning\xc2\xa0and\xc2\xa0investment\xc2\xa0control\xc2\xa0(CPIC)\xc2\xa0process.\xc2\xa0(Base)\xc2\xa0\n               11.1.2. Includes\xc2\xa0information\xc2\xa0security\xc2\xa0requirements\xc2\xa0as\xc2\xa0part\xc2\xa0of\xc2\xa0the\xc2\xa0capital\xc2\xa0planning\xc2\xa0and\xc2\xa0\n                       investment\xc2\xa0process.\xc2\xa0(Base)\xc2\xa0\n               11.1.3. Establishes\xc2\xa0a\xc2\xa0discrete\xc2\xa0line\xc2\xa0item\xc2\xa0for\xc2\xa0information\xc2\xa0security\xc2\xa0in\xc2\xa0organizational\xc2\xa0\n                       programming\xc2\xa0and\xc2\xa0documentation\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0SA\xe2\x80\x902).\xc2\xa0(Base)\xc2\xa0\n               11.1.4. Employs\xc2\xa0a\xc2\xa0business\xc2\xa0case/Exhibit\xc2\xa0300/Exhibit\xc2\xa053\xc2\xa0to\xc2\xa0record\xc2\xa0the\xc2\xa0information\xc2\xa0\n                       security\xc2\xa0resources\xc2\xa0required\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0PM\xe2\x80\x903).\xc2\xa0(Base)\xc2\xa0\n               11.1.5. Ensures\xc2\xa0that\xc2\xa0information\xc2\xa0security\xc2\xa0resources\xc2\xa0are\xc2\xa0available\xc2\xa0for\xc2\xa0expenditure\xc2\xa0as\xc2\xa0\n                       planned.\xc2\xa0(Base)\xc2\xa0\n       11.2. Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n             security\xc2\xa0capital\xc2\xa0planning\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\n\n\n\n\n                                                                                                   Page 28\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n   \xef\x82\xb7   One\xc2\xa0key\xc2\xa0area\xc2\xa0of\xc2\xa0capital\xc2\xa0investment\xc2\xa0in\xc2\xa0the\xc2\xa0next\xc2\xa0few\xc2\xa0years\xc2\xa0will\xc2\xa0be\xc2\xa0investments\xc2\xa0in\xc2\xa0the\xc2\xa0tools\xc2\xa0and\xc2\xa0\n       other\xc2\xa0infrastructure\xc2\xa0needed\xc2\xa0for\xc2\xa0adequate\xc2\xa0continuous\xc2\xa0monitoring.\xc2\xa0\xc2\xa0Fortunately,\xc2\xa0most\xc2\xa0of\xc2\xa0these\xc2\xa0\n       tools\xc2\xa0also\xc2\xa0support\xc2\xa0(and\xc2\xa0are\xc2\xa0needed\xc2\xa0for)\xc2\xa0good\xc2\xa0network\xc2\xa0and\xc2\xa0system\xc2\xa0operations.\xc2\xa0\xc2\xa0Thus,\xc2\xa0many\xc2\xa0of\xc2\xa0\n       these\xc2\xa0tools\xc2\xa0may\xc2\xa0already\xc2\xa0be\xc2\xa0in\xc2\xa0place.\xc2\xa0\xc2\xa0\n   \xef\x82\xb7   This\xc2\xa0section\xc2\xa0might\xc2\xa0equally\xc2\xa0consider\xc2\xa0operational\xc2\xa0budgeting.\xc2\xa0\xc2\xa0Clearly,\xc2\xa0good\xc2\xa0security\xc2\xa0requires\xc2\xa0a\xc2\xa0\n       wise\xc2\xa0investment\xc2\xa0of\xc2\xa0operational\xc2\xa0resources,\xc2\xa0not\xc2\xa0just\xc2\xa0capital\xc2\xa0ones.\xc2\xa0\n\n\n\n\n                                                                                                Page 29\n\x0c                Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n             Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nJody Kitazono, Audit Manager\nBret Hunter, Senior Auditor\nMary Jankowski, Senior Auditor\nLouis Lee, Senior Auditor\nMidori Ohno, Senior Auditor\nEsther Wilson, Senior Auditor\nLinda Nethery, Information Technology Specialist\n\n\n\n\n                                                                                     Page 30\n\x0c               Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n            Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                                                                 Appendix III\n\n                       Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Technology Officer OS:CTO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                       Page 31\n\x0c              Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n           Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                                                                          Appendix IV\n\n Treasury Inspector General for Tax Administration\n  Information Technology Security-Related Reports\nIssued During the Fiscal Year 2012 Evaluation Period\n\n 1. Treasury Inspector General for Tax Administration (TIGTA), Ref. No. 2011-20-076,\n    The IRS2GO Smartphone Application Is Secure, but Development Process Improvements\n    Are Needed (Aug. 2011).\n 2. TIGTA, Ref. No. 2011-20-088, The Modernized e-File Release 6.2 Included\n    Enhancements, but Improvements Are Needed for Tracking Performance Issues and\n    Security Weaknesses (Sept. 2011).\n 3. TIGTA, Ref. No. 2011-20-116, Treasury Inspector General for Tax Administration \xe2\x80\x93\n    Federal Information Security Management Act Report for Fiscal Year 2011 (Sept. 2011).\n 4. TIGTA, Ref. No. 2011-20-111, Continued Centralization of the Windows Environment\n    Would Improve Administration and Security Efficiencies (Sept. 2011).\n 5. TIGTA, Ref. No. 2011-20-101, Security Controls Over Wireless Technology Were\n    Generally in Place; However, Further Actions Can Improve Security (Sept. 2011).\n 6. TIGTA, Ref. No. 2011-20-099, The Mainframe Databases Reviewed Met Security\n    Requirements; However, Automated Security Scans Were Not Performed (Sept. 2011).\n 7. TIGTA, Ref. No. 2012-20-019, The Computer Security Incident Response Center Is\n    Effectively Performing Most of Its Responsibilities, but Further Improvements Are\n    Needed (Mar. 2012).\n 8. TIGTA, Ref. No. 2012-20-041, Disaster Recovery Testing Is Being Adequately\n    Performed, but Problem Reporting and Tracking Can Be Improved (May 2012).\n 9. TIGTA, Ref. No. 2012-20-063, Enterprise-Level Oversight Is Needed to Ensure\n    Adherence to Windows Server Security Policies (June 2012).\n\n\n\n\n                                                                                   Page 32\n\x0c                Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n             Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                                                                               Appendix V\n\n                           Glossary of Terms\n\nTerm                      Definition\nAccreditation (or         Includes all components of an information system to be authorized\nAuthorization) Boundary   for operation by an authorizing official and excludes separately\n                          authorized systems to which the information system is connected.\nAdministrative Account    A user account with full privileges on a computer.\nAuthentication            Verifying the identity of a user, process, or device, often as a\n                          prerequisite to allowing access to resources in an information\n                          system.\nBoundary Protection       Monitoring and control of communications at the external\n                          boundary of an information system to prevent and detect malicious\n                          and other unauthorized communication through the use of\n                          boundary protection devices.\nBoundary System           Physical or logical perimeter of a system.\nCloud (Computing)         The use of computing resources (hardware and software) that are\nEnvironment               delivered as a service over a network (typically the Internet). The\n                          name comes from the use of a cloud-shaped symbol as an\n                          abstraction for the complex infrastructure it contains in system\n                          diagrams.\nConfiguration Baseline    A set of specifications for a system, or a configuration item within\n                          a system, that has been formally reviewed and agreed on at a given\n                          point in time, and that can be changed only through change control\n                          procedures. The baseline configuration is used as a basis for\n                          future builds, releases, and/or changes.\nConfiguration Items       Assets, service components, or other items that are (or will be)\n                          controlled by configuration management.\n\n\n\n\n                                                                                       Page 33\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\nTerm                        Definition\nConfiguration Management A collection of activities focused on establishing and maintaining\n                         the integrity of products and systems through control of the\n                         processes for initializing, changing, and monitoring the\n                         configurations of those products and systems throughout the\n                         system development life cycle.\nDemilitarized Zone          A network segment inserted as a \xe2\x80\x9cneutral zone\xe2\x80\x9d between an\n                            organization\xe2\x80\x99s private network and the Internet.\nDevice Identification and   The information system uniquely identifies and authenticates\nAuthentication              before establishing a connection. See Authentication.\nFederal Desktop Core        OMB-mandated set of security configurations for all Federal\nConfiguration               workstation and laptop devices that run either Windows XP or\n                            Vista.\nFirewall                    A gateway that limits access between networks in accordance with\n                            local security policy.\nGeneral Support System      An interconnected set of information resources under the same\n                            direct management control that shares common functionality. It\n                            normally includes hardware, software, information, data,\n                            applications, communications, and people.\nIdentity and Access         Addresses the mission-critical need to ensure appropriate access to\nManagement                  resources across increasingly heterogeneous technology\n                            environments and to meet increasingly rigorous compliance\n                            requirements.\nInternal Revenue Manual     The IRS publication of its information security policies,\n                            guidelines, standards, and procedures in order for IRS divisions\n                            and offices to carry out their respective responsibilities in\n                            information security.\nInternet Protocol           Standard protocol for transmission of data from source to\n                            destinations in packet-switched communications networks and\n                            interconnected systems of such networks.\nLeast Privilege             The security objective of granting users only those accesses they\n                            need to perform their official duties.\n\n\n\n\n                                                                                       Page 34\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\nTerm                         Definition\nLogical Access               Controls used to determine the electronic information and systems\n                             that users and other systems may access and the actions that may\n                             be performed to the information accessed.\nMalware                      A program that is inserted into a system, usually covertly, with the\n                             intent of compromising the confidentiality, integrity, or availability\n                             of the computer\xe2\x80\x99s data, applications, or operating system.\nMilestone                    The \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision point in a project; it is sometimes\n                             associated with funding approval to proceed.\nMultifactor Authentication   Authentication using two or more factors to achieve\n                             authentication. Factors include: (1) something you know (e.g.,\n                             password/PIN); (2) something you have (e.g., cryptographic\n                             identification device, token); or (3) something you are (e.g.,\n                             physical characteristic).\nnCircle                      An automated tool that scans computers for vulnerabilities related\n                             to network exploits and renders a report of findings.\nOperating System             A set of software that manages computer hardware resources and\n                             provides common services for computer programs. The operating\n                             system is a vital component of the system software in a computer\n                             system. Application programs require an operating system to\n                             function.\nPatch Management             The systematic notification, identification, deployment,\n                             installation, and verification of operating system and application\n                             software code revisions. These revisions are known as patches, hot\n                             fixes, and service packs.\nPhishing (Attack)            Tricking individuals into disclosing sensitive personal information\n                             through deceptive computer-based means.\nPlaintext                    Intelligible data that has meaning and can be understood without\n                             the application of decryption.\nPlan of Action and           A document that identifies tasks needing to be accomplished. It\nMilestones                   details resources required to accomplish the elements of the plan,\n                             any milestones in meeting the tasks, and scheduled completion\n                             dates for the milestones.\n\n\n\n                                                                                           Page 35\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\nTerm                        Definition\nPolicy Checker              An automated tool that reads the security settings of computers\n                            and logs any noncompliant setting to text files.\nPrivileged Account          Individuals who have access to set \xe2\x80\x9caccess rights\xe2\x80\x9d for users on a\n                            given system. Sometimes referred to as system or network\n                            administrative accounts.\nRemote Access               Access to an organizational information system by a user (or an\n                            information system acting on behalf of a user) communicating\n                            through an external network (e.g., the Internet).\nRogue Computer              An unauthorized computer on a network.\nSecurity Capital Planning   The integration of information technology security and capital\n                            planning processes to ensure that agency resources are protected\n                            and risk is effectively managed.\nSeparation of Duties        As a security principle, its primary objective is the prevention of\n                            fraud and errors. This objective is achieved by disseminating the\n                            tasks and associated privileges for a specific business process\n                            among multiple users.\nSingle-factor               Authentication using one factor (e.g., a username or password) to\nAuthentication              achieve authentication. See Authentication.\nSingle Sign-On              Provides the capability to authenticate once and be subsequently\n                            and automatically authenticated when accessing various target\n                            systems. It eliminates the need to separately authenticate and sign\n                            on to individual applications and systems, essentially serving as a\n                            user surrogate between client workstations and target systems.\nSocial Engineering          An attempt to trick someone into revealing information (e.g., a\n                            password) that can be used to attack systems or networks.\nTwo-factor Authentication   Authentication using two factors to achieve authentication. See\n                            Multifactor Authentication.\nUS-CERT                     A partnership between the Department of Homeland Security and\n                            the public and private sectors established to protect the Nation\xe2\x80\x99s\n                            Internet infrastructure. US-CERT coordinates defense against and\n                            responses to cyberattacks across the Nation.\n\n\n\n\n                                                                                         Page 36\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\nTerm                         Definition\nVirtual Environment          The physical system running a host operating system and\n                             hypervisor (i.e., software that allows a single host to run one or\n                             more guest operating systems).\nVulnerability Scanning       Scanning for specific functions, ports, protocols, and services that\n(i.e., Software Assessing)   should not be accessible to users or devices and for improperly\n                             configured or incorrectly operating information flow mechanisms.\nZero-Day Vulnerability       An exploit that takes advantage of a security vulnerability on the\n                             same day that the vulnerability becomes generally known. There\n                             are zero days between the time the vulnerability is discovered and\n                             the first attack. Given time, the software company can fix the code\n                             and distribute a patch or software update.\n\n\n\n\n                                                                                           Page 37\n\x0c'